Overview GBA Technical Data GBA Memory Map GBA I/O Map Hardware Programming GBA LCD Video Controller GBA Sound Controller GBA Timers GBA DMA Transfers GBA Communication Ports GBA Keypad Input GBA Interrupt Control GBA System Control Other GBA Cartridges BIOS Functions Unpredictable Things External Connectors |
Overview DS Technical Data DS I/O Maps DS Memory Maps Hardware Programming DS Memory Control DS Video DS 3D Video DS Sound DS System and Built-in Peripherals DS Cartridges, Encryption, Firmware DS Xboo DS Wireless Communications Other DS GBA-Mode BIOS Functions CPU Reference External Connectors |
General Information CPU Overview CPU Register Set CPU Flags CPU Exceptions CPU Memory Alignments The Instruction Sets THUMB Instruction Set ARM Instruction Set Pseudos & Directives Further Information ARM System Control CP15 CPU Clock Cycles CPU Versions CPU Data Sheet About GBATEK About this Document |
| GBA Technical Data |
ARM Mode ARM7TDMI 32bit RISC CPU, 16.78MHz, 32bit opcodes (GBA) THUMB Mode ARM7TDMI 32bit RISC CPU, 16.78MHz, 16bit opcodes (GBA) CGB Mode Z80/8080-style 8bit CPU, 4.2MHz or 8.4MHz (CGB compatibility) DMG Mode Z80/8080-style 8bit CPU, 4.2MHz (monochrome gameboy compatib.) |
BIOS ROM 16 KBytes Work RAM 288 KBytes (32K in-chip + 256K on-board) VRAM 96 KBytes OAM 1 KByte (128 OBJs 3x16bit, 32 OBJ-Rotation/Scalings 4x16bit) Palette RAM 1 KByte (256 BG colors, 256 OBJ colors) |
Display 240x160 pixels (2.9 inch TFT color LCD display) BG layers 4 background layers BG types Tile/map based, or Bitmap based BG colors 256 colors, or 16 colors/16 palettes, or 32768 colors OBJ colors 256 colors, or 16 colors/16 palettes OBJ size 12 types (in range 8x8 up to 64x64 dots) OBJs/Screen max. 128 OBJs of any size (up to 64x64 dots each) OBJs/Line max. 128 OBJs of 8x8 dots size (under best circumstances) Priorities OBJ/OBJ: 0-127, OBJ/BG: 0-3, BG/BG: 0-3 Effects Rotation/Scaling, alpha blending, fade-in/out, mosaic, window Backlight GBA SP only (optionally by light on/off toggle button) |
Analogue 4 channel CGB compatible (3x square wave, 1x noise) Digital 2 DMA sound channels Output Built-in speaker (mono), or headphones socket (stereo) |
Gamepad 4 Direction Keys, 6 Buttons |
Serial Port Various transfer modes, 4-Player Link, Single Game Pak play |
GBA Game Pak max. 32MB ROM or flash ROM + max 64K SRAM CGB Game Pak max. 32KB ROM + 8KB SRAM (more memory requires banking) |
Size (mm) GBA: 145x81x25 - GBA SP: 82x82x24 (closed), 155x82x24 (stretch) |
Battery GBA GBA: 2x1.5V DC (AA), Life-time approx. 15 hours Battery SP GBA SP: Built-in rechargeable Lithium ion battery, 3.7V 600mAh External GBA: 3.3V DC 350mA - GBA SP: 5.2V DC 320mA |
----------------------------------------------------------------------------
____._____________...___.____ _______________________
____/ : CARTRIDGE SIO : \____ | _____________________ |
| L _____________________ LED R | || ||
| | | | || 2.9" TFT SCREEN ||
| _||_ | 2.9" TFT SCREEN | (A) | || 240x160pix 61x40mm ||
| |_ _| | 240x160pix 61x40mm | (B) | || WITH BACKLIGHT ||
| || | NO BACKLIGHT | :::: | || ||
| | | SPEAKR | ||_____________________||
| STRT() |_____________________| :::: | | GAME BOY ADVANCE SP |
| SLCT() GAME BOY ADVANCE VOLUME | |_______________________|
|____ OFF-ON BATTERY 2xAA PHONES _==_| |_|________|________|_|_|
\__.##.__________________,,___/ |L EXT1 EXT2 R|
.::' | (*) LEDSo
.::' (OPENED) (VOL_||_ (A) o
GBA SP SIDE VIEW .::' | |_ _| ,,,,,(B) |
(CLOSED) .::' (STRETCHED) | || ;SPK; |
...................... _ ...................... | ''''' ON #
:_____________________(_).....................: | SLCT STRT OFF#
|. . . . . . . .'.'. _| | CART. () () |
|_CARTRIDGE_:_BATT._:_|_| <-- EXT1/EXT2 |_:___________________:_|
|
----------------------------------------------------------------------------
_____________________________________
| _____________________ |
| | | |
| | 3" TFT SCREEN | |
| | 256x192pix 61x46mm | |
| | BACKLIGHT | |
| ::::: | | ::::: |
| ::::: |_____________________| ::::: |
_| _ ______ _ |_
|L|_______| |________| |_| |_______|R|
|_______ _____________________ _______|
| PWR | | | |SEL STA|
| _ | | 3" TFT SCREEN | | |
| _| |_ | | 256x192pix 61x46mm | | X |
||_ _|| | BACKLIGHT | | Y A |
| |_| | | TOUCH SCREEN | | B |
| | |_____________________| | |
|_______| NintendoDS |_______|
| MIC LEDS |
|_________________________________________|
VOL SLOT2(GBA) MIC/PHONES
|
_____________________________________
| _____________________ |
| | | |
| | 3" TFT SCREEN | |
| ... | 256x192pix 61x46mm | ... |
| ... | BACKLIGHT | ... |
| | DS LITE | |
| |_____________________| |
|___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____|
L| _ |_____________MIC____________|LEDS|R
| _ _____________________ |
| _| |_ | | X |
||_ _|| 3" TFT SCREEN | Y A |PWR
| |_| | 256x192pix 61x46mm | B |
| | BACKLIGHT | |
| | TOUCH SCREEN |oSTART |
| |_____________________|oSELECT|
|_____________________________________|
VOL SLOT2(GBA) MIC/PHONES
|
| GBA Memory Map |
00000000-00003FFF BIOS - System ROM (16 KBytes) 00004000-01FFFFFF Not used 02000000-0203FFFF WRAM - On-board Work RAM (256 KBytes) 2 Wait 02040000-02FFFFFF Not used 03000000-03007FFF WRAM - In-chip Work RAM (32 KBytes) 03008000-03FFFFFF Not used 04000000-040003FE I/O Registers 04000400-04FFFFFF Not used |
05000000-050003FF BG/OBJ Palette RAM (1 Kbyte) 05000400-05FFFFFF Not used 06000000-06017FFF VRAM - Video RAM (96 KBytes) 06018000-06FFFFFF Not used 07000000-070003FF OAM - OBJ Attributes (1 Kbyte) 07000400-07FFFFFF Not used |
08000000-09FFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 0 0A000000-0BFFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 1 0C000000-0DFFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 2 0E000000-0E00FFFF Game Pak SRAM (max 64 KBytes) - 8bit Bus width 0E010000-0FFFFFFF Not used |
10000000-FFFFFFFF Not used (upper 4bits of address bus unused) |
Region Bus Read Write Cycles BIOS ROM 32 8/16/32 - 1/1/1 Work RAM 32K 32 8/16/32 8/16/32 1/1/1 I/O 32 8/16/32 8/16/32 1/1/1 OAM 32 8/16/32 16/32 1/1/1 * Work RAM 256K 16 8/16/32 8/16/32 3/3/6 ** Palette RAM 16 8/16/32 16/32 1/1/2 * VRAM 16 8/16/32 16/32 1/1/2 * GamePak ROM 16 8/16/32 - 5/5/8 **/*** GamePak Flash 16 8/16/32 16/32 5/5/8 **/*** GamePak SRAM 8 8 8 5 ** |
* Plus 1 cycle if GBA accesses video memory at the same time. ** Default waitstate settings, see System Control chapter. *** Separate timings for sequential, and non-sequential accesses. One cycle equals approx. 59.59ns (ie. 16.78MHz clock). |
| GBA I/O Map |
4000000h 2 R/W DISPCNT LCD Control 4000002h 2 R/W - Undocumented - Green Swap 4000004h 2 R/W DISPSTAT General LCD Status (STAT,LYC) 4000006h 2 R VCOUNT Vertical Counter (LY) 4000008h 2 R/W BG0CNT BG0 Control 400000Ah 2 R/W BG1CNT BG1 Control 400000Ch 2 R/W BG2CNT BG2 Control 400000Eh 2 R/W BG3CNT BG3 Control 4000010h 2 W BG0HOFS BG0 X-Offset 4000012h 2 W BG0VOFS BG0 Y-Offset 4000014h 2 W BG1HOFS BG1 X-Offset 4000016h 2 W BG1VOFS BG1 Y-Offset 4000018h 2 W BG2HOFS BG2 X-Offset 400001Ah 2 W BG2VOFS BG2 Y-Offset 400001Ch 2 W BG3HOFS BG3 X-Offset 400001Eh 2 W BG3VOFS BG3 Y-Offset 4000020h 2 W BG2PA BG2 Rotation/Scaling Parameter A (dx) 4000022h 2 W BG2PB BG2 Rotation/Scaling Parameter B (dmx) 4000024h 2 W BG2PC BG2 Rotation/Scaling Parameter C (dy) 4000026h 2 W BG2PD BG2 Rotation/Scaling Parameter D (dmy) 4000028h 4 W BG2X BG2 Reference Point X-Coordinate 400002Ch 4 W BG2Y BG2 Reference Point Y-Coordinate 4000030h 2 W BG3PA BG3 Rotation/Scaling Parameter A (dx) 4000032h 2 W BG3PB BG3 Rotation/Scaling Parameter B (dmx) 4000034h 2 W BG3PC BG3 Rotation/Scaling Parameter C (dy) 4000036h 2 W BG3PD BG3 Rotation/Scaling Parameter D (dmy) 4000038h 4 W BG3X BG3 Reference Point X-Coordinate 400003Ch 4 W BG3Y BG3 Reference Point Y-Coordinate 4000040h 2 W WIN0H Window 0 Horizontal Dimensions 4000042h 2 W WIN1H Window 1 Horizontal Dimensions 4000044h 2 W WIN0V Window 0 Vertical Dimensions 4000046h 2 W WIN1V Window 1 Vertical Dimensions 4000048h 2 R/W WININ Inside of Window 0 and 1 400004Ah 2 R/W WINOUT Inside of OBJ Window & Outside of Windows 400004Ch 2 W MOSAIC Mosaic Size 400004Eh - - Not used 4000050h 2 R/W BLDCNT Color Special Effects Selection 4000052h 2 W BLDALPHA Alpha Blending Coefficients 4000054h 2 W BLDY Brightness (Fade-In/Out) Coefficient 4000056h - - Not used |
4000060h 2 R/W SOUND1CNT_L Channel 1 Sweep register (NR10) 4000062h 2 R/W SOUND1CNT_H Channel 1 Duty/Length/Envelope (NR11, NR12) 4000064h 2 R/W SOUND1CNT_X Channel 1 Frequency/Control (NR13, NR14) 4000066h - - Not used 4000068h 2 R/W SOUND2CNT_L Channel 2 Duty/Length/Envelope (NR21, NR22) 400006Ah - - Not used 400006Ch 2 R/W SOUND2CNT_H Channel 2 Frequency/Control (NR23, NR24) 400006Eh - - Not used 4000070h 2 R/W SOUND3CNT_L Channel 3 Stop/Wave RAM select (NR30) 4000072h 2 R/W SOUND3CNT_H Channel 3 Length/Volume (NR31, NR32) 4000074h 2 R/W SOUND3CNT_X Channel 3 Frequency/Control (NR33, NR34) 4000076h - - Not used 4000078h 2 R/W SOUND4CNT_L Channel 4 Length/Envelope (NR41, NR42) 400007Ah - - Not used 400007Ch 2 R/W SOUND4CNT_H Channel 4 Frequency/Control (NR43, NR44) 400007Eh - - Not used 4000080h 2 R/W SOUNDCNT_L Control Stereo/Volume/Enable (NR50, NR51) 4000082h 2 R/W SOUNDCNT_H Control Mixing/DMA Control 4000084h 2 R/W SOUNDCNT_X Control Sound on/off (NR52) 4000086h - - Not used 4000088h 2 BIOS SOUNDBIAS Sound PWM Control 400008Ah .. - - Not used 4000090h 2x10h R/W WAVE_RAM Channel 3 Wave Pattern RAM (2 banks!!) 40000A0h 4 W FIFO_A Channel A FIFO, Data 0-3 40000A4h 4 W FIFO_B Channel B FIFO, Data 0-3 40000A8h - - Not used |
40000B0h 4 W DMA0SAD DMA 0 Source Address 40000B4h 4 W DMA0DAD DMA 0 Destination Address 40000B8h 2 W DMA0CNT_L DMA 0 Word Count 40000BAh 2 R/W DMA0CNT_H DMA 0 Control 40000BCh 4 W DMA1SAD DMA 1 Source Address 40000C0h 4 W DMA1DAD DMA 1 Destination Address 40000C4h 2 W DMA1CNT_L DMA 1 Word Count 40000C6h 2 R/W DMA1CNT_H DMA 1 Control 40000C8h 4 W DMA2SAD DMA 2 Source Address 40000CCh 4 W DMA2DAD DMA 2 Destination Address 40000D0h 2 W DMA2CNT_L DMA 2 Word Count 40000D2h 2 R/W DMA2CNT_H DMA 2 Control 40000D4h 4 W DMA3SAD DMA 3 Source Address 40000D8h 4 W DMA3DAD DMA 3 Destination Address 40000DCh 2 W DMA3CNT_L DMA 3 Word Count 40000DEh 2 R/W DMA3CNT_H DMA 3 Control 40000E0h - - Not used |
4000100h 2 R/W TM0CNT_L Timer 0 Counter/Reload 4000102h 2 R/W TM0CNT_H Timer 0 Control 4000104h 2 R/W TM1CNT_L Timer 1 Counter/Reload 4000106h 2 R/W TM1CNT_H Timer 1 Control 4000108h 2 R/W TM2CNT_L Timer 2 Counter/Reload 400010Ah 2 R/W TM2CNT_H Timer 2 Control 400010Ch 2 R/W TM3CNT_L Timer 3 Counter/Reload 400010Eh 2 R/W TM3CNT_H Timer 3 Control 4000110h - - Not used |
4000120h 4 R/W SIODATA32 SIO Data (Normal-32bit Mode) (shared with below!) 4000120h 2 R/W SIOMULTI0 SIO Data 0 (Parent) (Multi-Player Mode) 4000122h 2 R/W SIOMULTI1 SIO Data 1 (1st Child) (Multi-Player Mode) 4000124h 2 R/W SIOMULTI2 SIO Data 2 (2nd Child) (Multi-Player Mode) 4000126h 2 R/W SIOMULTI3 SIO Data 3 (3rd Child) (Multi-Player Mode) 4000128h 2 R/W SIOCNT SIO Control Register 400012Ah 2 R/W SIOMLT_SEND SIO Data (Local of Multi-Player) (shared below) 400012Ah 2 R/W SIODATA8 SIO Data (Normal-8bit and UART Mode) 400012Ch - - Not used |
4000130h 2 R KEYINPUT Key Status 4000132h 2 R/W KEYCNT Key Interrupt Control |
4000134h 2 R/W RCNT SIO Mode Select/General Purpose Data 4000136h - - IR Ancient - Infrared Register (Prototypes only) 4000138h - - Not used 4000140h 2 R/W JOYCNT SIO JOY Bus Control 4000142h - - Not used 4000150h 4 R/W JOY_RECV SIO JOY Bus Receive Data 4000154h 4 R/W JOY_TRANS SIO JOY Bus Transmit Data 4000158h 2 R/? JOYSTAT SIO JOY Bus Receive Status 400015Ah - - Not used |
4000200h 2 R/W IE Interrupt Enable Register 4000202h 2 R/W IF Interrupt Request Flags / IRQ Acknowledge 4000204h 2 R/W WAITCNT Game Pak Waitstate Control 4000206h - - Not used 4000208h 2 R/W IME Interrupt Master Enable Register 400020Ah - - Not used 4000300h 1 R/W POSTFLG Undocumented - Post Boot Flag 4000301h 1 W HALTCNT Undocumented - Power Down Control 4000302h - - Not used 4000410h ? ? ? Undocumented - Purpose Unknown / Bug ??? 0FFh 4000411h - - Not used 4000800h 4 R/W ? Undocumented - Internal Memory Control (R/W) 4000804h - - Not used 4xx0800h 4 R/W ? Mirrors of 4000800h (repeated each 64K) |
| GBA LCD Video Controller |
| LCD I/O Display Control |
Bit Expl. 0-2 BG Mode (0-5=Video Mode 0-5, 6-7=Prohibited) 3 Reserved / CGB Mode (0=GBA, 1=CGB; can be set only by BIOS opcodes) 4 Display Frame Select (0-1=Frame 0-1) (for BG Modes 4,5 only) 5 H-Blank Interval Free (1=Allow access to OAM during H-Blank) 6 OBJ Character VRAM Mapping (0=Two dimensional, 1=One dimensional) 7 Forced Blank (1=Allow FAST access to VRAM,Palette,OAM) 8 Screen Display BG0 (0=Off, 1=On) 9 Screen Display BG1 (0=Off, 1=On) 10 Screen Display BG2 (0=Off, 1=On) 11 Screen Display BG3 (0=Off, 1=On) 12 Screen Display OBJ (0=Off, 1=On) 13 Window 0 Display Flag (0=Off, 1=On) 14 Window 1 Display Flag (0=Off, 1=On) 15 OBJ Window Display Flag (0=Off, 1=On) |
Mode Rot/Scal Layers Size Tiles Colors Features 0 No 0123 256x256..512x515 1024 16/16..256/1 SFMABP 1 Mixed 012- (BG0,BG1 as above Mode 0, BG2 as below Mode 2) 2 Yes --23 128x128..1024x1024 256 256/1 S-MABP 3 Yes --2- 240x160 1 32768 --MABP 4 Yes --2- 240x160 2 256/1 --MABP 5 Yes --2- 160x128 2 32768 --MABP |
Bit Expl. 0 Green Swap (0=Normal, 1=Swap) 1-15 Not used |
| LCD I/O Interrupts and Status |
Bit Expl. 0 V-Blank flag (Read only) (1=VBlank) (set in line 160..226; not 227) 1 H-Blank flag (Read only) (1=HBlank) (toggled in all lines, 0..227) 2 V-Counter flag (Read only) (1=Match) (set in selected line) 3 V-Blank IRQ Enable (1=Enable) 4 H-Blank IRQ Enable (1=Enable) 5 V-Counter IRQ Enable (1=Enable) 6-7 Not used 8-15 V-Count Setting (LYC) (0..227) |
Bit Expl. 0-7 Current scanline (LY) (0..227) 8-15 Not Used |
| LCD I/O BG Control |
Bit Expl. 0-1 BG Priority (0-3, 0=Highest) 2-3 Character Base Block (0-3, in units of 16 KBytes) (=BG Tile Data) 4-5 Not used (must be zero) 6 Mosaic (0=Disable, 1=Enable) 7 Colors/Palettes (0=16/16, 1=256/1) 8-12 Screen Base Block (0-31, in units of 2 KBytes) (=BG Map Data) 13 Display Area Overflow (0=Transparent, 1=Wraparound; BG2CNT/BG3CNT only) 14-15 Screen Size (0-3) |
Value Text Mode Rotation/Scaling Mode 0 256x256 (2K) 128x128 (256 bytes) 1 512x256 (4K) 256x256 (1K) 2 256x512 (4K) 512x512 (4K) 3 512x512 (8K) 1024x1024 (16K) |
| LCD I/O BG Scrolling |
Bit Expl. 0-8 Offset (0-511) 9-15 Not used |
| LCD I/O BG Rotation/Scaling |
Bit Expl. 0-7 Fractional portion (8 bits) 8-26 Integer portion (19 bits) 27 Sign (1 bit) 28-31 Not used |
Bit Expl. 0-7 Fractional portion (8 bits) 8-14 Integer portion (7 bits) 15 Sign (1 bit) |
Rotation Center X and Y Coordinates (x0,y0) Rotation Angle (alpha) Magnification X and Y Values (xMag,yMag) |
A = Cos (alpha) / xMag ;distance moved in direction x, same line B = Sin (alpha) / xMag ;distance moved in direction x, next line C = Sin (alpha) / yMag ;distance moved in direction y, same line D = Cos (alpha) / yMag ;distance moved in direction y, next line |
x0,y0 Rotation Center x1,y1 Old Position of a pixel (before rotation/scaling) x2,y2 New position of above pixel (after rotation scaling) A,B,C,D BG2PA-BG2PD Parameters (as calculated above) |
x2 = A(x1-x0) + B(y1-y0) + x0 y2 = C(x1-x0) + D(y1-y0) + y0 |
| LCD I/O Window Feature |
Bit Expl. 0-7 X2, Rightmost coordinate of window, plus 1 8-15 X1, Leftmost coordinate of window |
Bit Expl. 0-7 Y2, Bottom-most coordinate of window, plus 1 8-15 Y1, Top-most coordinate of window |
Bit Expl. 0-3 Window 0 BG0-BG3 Enable Bits (0=No Display, 1=Display) 4 Window 0 OBJ Enable Bit (0=No Display, 1=Display) 5 Window 0 Color Special Effect (0=Disable, 1=Enable) 6-7 Not used 8-11 Window 1 BG0-BG3 Enable Bits (0=No Display, 1=Display) 12 Window 1 OBJ Enable Bit (0=No Display, 1=Display) 13 Window 1 Color Special Effect (0=Disable, 1=Enable) 14-15 Not used |
Bit Expl. 0-3 Outside BG0-BG3 Enable Bits (0=No Display, 1=Display) 4 Outside OBJ Enable Bit (0=No Display, 1=Display) 5 Outside Color Special Effect (0=Disable, 1=Enable) 6-7 Not used 8-11 OBJ Window BG0-BG3 Enable Bits (0=No Display, 1=Display) 12 OBJ Window OBJ Enable Bit (0=No Display, 1=Display) 13 OBJ Window Color Special Effect (0=Disable, 1=Enable) 14-15 Not used |
| LCD I/O Mosaic Function |
Bit Expl. 0-3 BG Mosaic H-Size (minus 1) 4-7 BG Mosaic V-Size (minus 1) 8-11 OBJ Mosaic H-Size (minus 1) 12-15 OBJ Mosaic V-Size (minus 1) |
| LCD I/O Color Special Effects |
Bit Expl.
0 BG0 1st Target Pixel (Background 0)
1 BG1 1st Target Pixel (Background 1)
2 BG2 1st Target Pixel (Background 2)
3 BG3 1st Target Pixel (Background 3)
4 OBJ 1st Target Pixel (Top-most OBJ pixel)
5 BD 1st Target Pixel (Backdrop)
6-7 Color Special Effect (0-3, see below)
0 = None (Special effects disabled)
1 = Alpha Blending (1st+2nd Target mixed)
2 = Brightness Increase (1st Target becomes whiter)
3 = Brightness Decrease (1st Target becomes blacker)
8 BG0 2nd Target Pixel (Background 0)
9 BG1 2nd Target Pixel (Background 1)
10 BG2 2nd Target Pixel (Background 2)
11 BG3 2nd Target Pixel (Background 3)
12 OBJ 2nd Target Pixel (Top-most OBJ pixel)
13 BD 2nd Target Pixel (Backdrop)
14-15 Not used
|
Bit Expl. 0-4 EVA Coefficient (1st Target) (0..16 = 0/16..16/16, 17..31=16/16) 5-7 Not used 8-12 EVB Coefficient (2nd Target) (0..16 = 0/16..16/16, 17..31=16/16) 13-15 Not used |
I = MIN ( 31, I1st*EVA + I2nd*EVB ) |
Bit Expl. 0-4 EVY Coefficient (Brightness) (0..16 = 0/16..16/16, 17..31=16/16) 5-15 Not used |
I = I1st + (31-I1st)*EVY ;For Brightness Increase I = I1st - (I1st)*EVY ;For Brightness Decrease |
| LCD VRAM Overview |
06000000-0600FFFF 64 KBytes shared for BG Map and Tiles 06010000-06017FFF 32 KBytes OBJ Tiles |
Item Depth Required Memory One Tile 4bit 20h bytes One Tile 8bit 40h bytes 1024 Tiles 4bit 8000h (32K) 1024 Tiles 8bit 10000h (64K) - excluding some bytes for BG map BG Map 32x32 800h (2K) BG Map 64x64 2000h (8K) |
Item Depth Required Memory One Tile 8bit 40h bytes 256 Tiles 8bit 4000h (16K) BG Map 16x16 100h bytes BG Map 128x128 4000h (16K) |
06000000-06013FFF 80 KBytes Frame 0 buffer (only 75K actually used) 06014000-06017FFF 16 KBytes OBJ Tiles |
06000000-06009FFF 40 KBytes Frame 0 buffer (only 37.5K used in Mode 4) 0600A000-06013FFF 40 KBytes Frame 1 buffer (only 37.5K used in Mode 4) 06014000-06017FFF 16 KBytes OBJ Tiles |
| LCD VRAM Character Data |
| LCD VRAM BG Screen Data Format (BG Map) |
Bit Expl.
0-9 Tile Number (0-1023) (a bit less in 256 color mode, because
there'd be otherwise no room for the bg map)
10 Horizontal Flip (0=Normal, 1=Mirrored)
11 Vertical Flip (0=Normal, 1=Mirrored)
12-15 Palette Number (0-15) (Not used in 256 color/1 palette mode)
|
Bit Expl. 0-7 Tile Number (0-255) |
| LCD VRAM Bitmap BG Modes |
Bit Expl. 0-4 Red Intensity (0-31) 5-9 Green Intensity (0-31) 10-14 Blue Intensity (0-31) 15 Not used |
| LCD OBJ - Overview |
1210 (=304*4-6) If "H-Blank Interval Free" bit in DISPCNT register is 0 954 (=240*4-6) If "H-Blank Interval Free" bit in DISPCNT register is 1 |
Cycles per <n> Pixels OBJ Type OBJ Type Screen Pixel Range n*1 cycles Normal OBJs 8..64 pixels 10+n*2 cycles Rotation/Scaling OBJs 8..64 pixels (area clipped) 10+n*2 cycles Rotation/Scaling OBJs 16..128 pixels (double size) |
| LCD OBJ - OAM Attributes |
Bit Expl.
0-7 Y-Coordinate (0-255)
8 Rotation/Scaling Flag (0=Off, 1=On)
When Rotation/Scaling used (Attribute 0, bit 8 set):
9 Double-Size Flag (0=Normal, 1=Double)
When Rotation/Scaling not used (Attribute 0, bit 8 cleared):
9 OBJ Disable (0=Normal, 1=Not displayed)
10-11 OBJ Mode (0=Normal, 1=Semi-Transparent, 2=OBJ Window, 3=Prohibited)
12 OBJ Mosaic (0=Off, 1=On)
13 Colors/Palettes (0=16/16, 1=256/1)
14-15 OBJ Shape (0=Square,1=Horizontal,2=Vertical,3=Prohibited)
|
Bit Expl.
0-8 X-Coordinate (0-511)
When Rotation/Scaling used (Attribute 0, bit 8 set):
9-13 Rotation/Scaling Parameter Selection (0-31)
(Selects one of the 32 Rotation/Scaling Parameters that
can be defined in OAM, for details read next chapter.)
When Rotation/Scaling not used (Attribute 0, bit 8 cleared):
9-11 Not used
12 Horizontal Flip (0=Normal, 1=Mirrored)
13 Vertical Flip (0=Normal, 1=Mirrored)
14-15 OBJ Size (0..3, depends on OBJ Shape, see Attr 0)
Size Square Horizontal Vertical
0 8x8 16x8 8x16
1 16x16 32x8 8x32
2 32x32 32x16 16x32
3 64x64 64x32 32x64
|
Bit Expl. 0-9 Character Name (0-1023=Tile Number) 10-11 Priority relative to BG (0-3; 0=Highest) 12-15 Palette Number (0-15) (Not used in 256 color/1 palette mode) |
OBJ No. 0 with Priority relative to BG=1 ;hi OBJ prio, lo BG prio OBJ No. 1 with Priority relative to BG=0 ;lo OBJ prio, hi BG prio |
| LCD OBJ - OAM Rotation/Scaling Parameters |
1st Group - PA=07000006, PB=0700000E, PC=07000016, PD=0700001E 2nd Group - PA=07000026, PB=0700002E, PC=07000036, PD=0700003E etc. |
| LCD OBJ - VRAM Character (Tile) Mapping |
| LCD Color Palettes |
05000000-050001FF - BG Palette RAM (512 bytes, 256 colors) 05000200-050003FF - OBJ Palette RAM (512 bytes, 256 colors) |
Bit Expl. 0-4 Red Intensity (0-31) 5-9 Green Intensity (0-31) 10-14 Blue Intensity (0-31) 15 Not used |
| LCD Dimensions and Timings |
Visible 240 dots, 57.221 us, 960 cycles - 78% of h-time H-Blanking 68 dots, 16.212 us, 272 cycles - 22% of h-time Total 308 dots, 73.433 us, 1232 cycles - ca. 13.620 kHz |
Visible (*) 160 lines, 11.749 ms, 197120 cycles - 70% of v-time V-Blanking 68 lines, 4.994 ms, 83776 cycles - 30% of v-time Total 228 lines, 16.743 ms, 280896 cycles - ca. 59.737 Hz |
| GBA Sound Controller |
| GBA Sound Channel 1 - Tone & Sweep |
Bit Expl. 0-2 R/W Number of sweep shift (n=0-7) 3 R/W Sweep Frequency Direction (0=Increase, 1=Decrease) 4-6 R/W Sweep Time; units of 7.8ms (0-7, min=7.8ms, max=54.7ms) 7-15 - Not used |
X(t) = X(t-1) +/- X(t-1)/2^n |
Bit Expl. 0-5 W Sound length; units of (64-n)/256s (0-63) 6-7 R/W Wave Pattern Duty (0-3, see below) 8-10 R/W Envelope Step-Time; units of n/64s (1-7, 0=No Envelope) 11 R/W Envelope Direction (0=Decrease, 1=Increase) 12-15 R/W Initial Volume of envelope (1-15, 0=No Sound) |
0: 12.5% ( -_______-_______-_______ ) 1: 25% ( --______--______--______ ) 2: 50% ( ----____----____----____ ) (normal) 3: 75% ( ------__------__------__ ) |
Bit Expl. 0-10 W Frequency; 131072/(2048-n)Hz (0-2047) 11-13 - Not used 14 R/W Length Flag (1=Stop output when length in NR11 expires) 15 W Initial (1=Restart Sound) 16-31 - Not used |
| GBA Sound Channel 2 - Tone |
| GBA Sound Channel 3 - Wave Output |
Bit Expl. 0-4 - Not used 5 R/W Wave RAM Dimension (0=One bank/32 digits, 1=Two banks/64 digits) 6 R/W Wave RAM Bank Number (0-1, see below) 7 R/W Sound Channel 3 Off (0=Stop, 1=Playback) 8-15 - Not used |
Bit Expl. 0-7 W Sound length; units of (256-n)/256s (0-255) 8-12 - Not used. 13-14 R/W Sound Volume (0=Mute/Zero, 1=100%, 2=50%, 3=25%) 15 R/W Force Volume (0=Use above, 1=Force 75% regardless of above) |
Bit Expl. 0-10 W Sample Rate; 2097152/(2048-n) Hz (0-2047) 11-13 - Not used 14 R/W Length Flag (1=Stop output when length in NR31 expires) 15 W Initial (1=Restart Sound) 16-31 - Not used |
Wave RAM, single bank 32 digits Tone Frequency FFFFFFFFFFFFFFFF0000000000000000 65536/(2048-n) Hz FFFFFFFF00000000FFFFFFFF00000000 131072/(2048-n) Hz FFFF0000FFFF0000FFFF0000FFFF0000 262144/(2048-n) Hz FF00FF00FF00FF00FF00FF00FF00FF00 524288/(2048-n) Hz F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0 1048576/(2048-n) Hz |
| GBA Sound Channel 4 - Noise |
Bit Expl. 0-5 W Sound length; units of (64-n)/256s (0-63) 6-7 - Not used 8-10 R/W Envelope Step-Time; units of n/64s (1-7, 0=No Envelope) 11 R/W Envelope Direction (0=Decrease, 1=Increase) 12-15 R/W Initial Volume of envelope (1-15, 0=No Sound) 16-31 - Not used |
Bit Expl. 0-2 R/W Dividing Ratio of Frequencies (r) 3 R/W Counter Step/Width (0=15 bits, 1=7 bits) 4-7 R/W Shift Clock Frequency (s) 8-13 - Not used 14 R/W Length Flag (1=Stop output when length in NR41 expires) 15 W Initial (1=Restart Sound) 16-31 - Not used |
7bit: X=X SHR 1, IF carry THEN Out=HIGH, X=X XOR 60h ELSE Out=LOW 15bit: X=X SHR 1, IF carry THEN Out=HIGH, X=X XOR 6000h ELSE Out=LOW |
| GBA Sound Channel A and B - DMA Sound |
If Timer overflows then
Move 8bit data from FIFO to sound circuit.
If FIFO contains only 4 x 32bits (16 bytes) then
Request more data per DMA
Receive 4 x 32bit (16 bytes) per DMA
Endif
Endif
|
| GBA Sound Control Registers |
Bit Expl. 0-2 Sound 1-4 Master Volume RIGHT (0-7) 3 Not used 4-6 Sound 1-4 Master Volume LEFT (0-7) 7 Not used 8-11 Sound 1-4 Enable Flags RIGHT (each Bit 8-11, 0=Disable, 1=Enable) 12-15 Sound 1-4 Enable Flags LEFT (each Bit 12-15, 0=Disable, 1=Enable) |
Bit Expl. 0-1 Sound # 1-4 Volume (0=25%, 1=50%, 2=100%, 3=Prohibited) 2 DMA Sound A Volume (0=50%, 1=100%) 3 DMA Sound B Volume (0=50%, 1=100%) 4-7 Not used 8 DMA Sound A Enable RIGHT (0=Disable, 1=Enable) 9 DMA Sound A Enable LEFT (0=Disable, 1=Enable) 10 DMA Sound A Timer Select (0=Timer 0, 1=Timer 1) 11 DMA Sound A Reset FIFO (1=Reset) 12 DMA Sound B Enable RIGHT (0=Disable, 1=Enable) 13 DMA Sound B Enable LEFT (0=Disable, 1=Enable) 14 DMA Sound B Timer Select (0=Timer 0, 1=Timer 1) 15 DMA Sound B Reset FIFO (1=Reset) |
Bit Expl. 0 Sound 1 ON flag (Read Only) 1 Sound 2 ON flag (Read Only) 2 Sound 3 ON flag (Read Only) 3 Sound 4 ON flag (Read Only) 4-6 Not used 7 PSG/FIFO Master Enable (0=Disable, 1=Enable) (Read/Write) 8-31 Not used |
Bit Expl. 0-9 Bias Level (Default=200h, converting signed samples into unsigned) 10-13 Not used 14-15 Amplitude Resolution/Sampling Cycle (Default=0, see below) 16-31 Not used |
0 9bit / 32.768kHz (Default, best for DMA channels A,B) 1 8bit / 65.536kHz 2 7bit / 131.072kHz 3 6bit / 262.144kHz (Best for PSG channels 1-4) |
| GBA Comparison of CGB and GBA Sound |
| GBA Timers |
Bit Expl. 0-1 Prescaler Selection (0=F/1, 1=F/64, 2=F/256, 3=F/1024) 2 Count-up Timing (0=Normal, 1=See below) 3-5 Not used 6 Timer IRQ Enable (0=Disable, 1=IRQ on Timer overflow) 7 Timer Start/Stop (0=Stop, 1=Operate) 8-15 Not used |
| GBA DMA Transfers |
Bit Expl.
0-4 Not used
5-6 Dest Addr Control (0=Increment,1=Decrement,2=Fixed,3=Increment/Reload)
7-8 Source Adr Control (0=Increment,1=Decrement,2=Fixed,3=Prohibited)
9 DMA Repeat (0=Off, 1=On) (Must be zero if Bit 11 set)
10 DMA Transfer Type (0=16bit, 1=32bit)
11 Game Pak DRQ - DMA3 only - (0=Normal, 1=DRQ <from> Game Pak, DMA3)
12-13 DMA Start Timing (0=Immediately, 1=VBlank, 2=HBlank, 3=Special)
The 'Special' setting (Start Timing=3) depends on the DMA channel:
DMA0=Prohibited, DMA1/DMA2=Sound FIFO, DMA3=Video Capture
14 IRQ upon end of Word Count (0=Disable, 1=Enable)
15 DMA Enable (0=Off, 1=On)
|
2N+2(n-1)S+xI |
| GBA Communication Ports |
| SIO Normal Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Not used (Should be 0, bit is read/write-able though) 15 Must be zero (0) for Normal/Multiplayer/UART modes |
Bit Expl. 0 Shift Clock (SC) (0=External, 1=Internal) 1 Internal Shift Clock (0=256KHz, 1=2MHz) 2 SI State (opponents SO) (0=Low, 1=High/None) --- (Read Only) 3 SO during inactivity (0=Low, 1=High) (applied ONLY when Bit7=0) 4-6 Not used (Read only, always 0 ?) 7 Start Bit (0=Inactive/Ready, 1=Start/Active) 8-11 Not used (R/W, should be 0) 12 Transfer Length (0=8bit, 1=32bit) 13 Must be "0" for Normal Mode 14 IRQ Enable (0=Disable, 1=Want IRQ upon completion) 15 Not used (Read only, always 0) |
(Expl. Old SO=LOW kept output until 1st clock bit received). (Expl. New SO=HIGH is automatically output at transfer completion). |
Step Sender 1st Recipient 2nd Recipient Transfer 1: DATA #0 --> UNDEF --> UNDEF --> Transfer 2: DATA #1 --> DATA #0 --> UNDEF --> Transfer 3: DATA #2 --> DATA #1 --> DATA #0 --> Transfer 4: DATA #3 --> DATA #2 --> DATA #1 --> |
| SIO Multi-Player Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Not used (Should be 0, bit is read/write-able though) 15 Must be zero (0) for Normal/Multiplayer/UART modes |
Bit Expl. 0-1 Baud Rate (0-3: 9600,38400,57600,115200 bps) 2 SI-Terminal (0=Parent, 1=Child) (Read Only) 3 SD-Terminal (0=Bad connection, 1=All GBAs Ready) (Read Only) 4-5 Multi-Player ID (0=Parent, 1-3=1st-3rd child) (Read Only) 6 Multi-Player Error (0=Normal, 1=Error) (Read Only) 7 Start/Busy Bit (0=Inactive, 1=Start/Busy) (Read Only for Slaves) 8-11 Not used (R/W, should be 0) 12 Must be "0" for Multi-Player mode 13 Must be "1" for Multi-Player mode 14 IRQ Enable (0=Disable, 1=Want IRQ upon completion) 15 Not used (Read only, always 0) |
GBAs Bits Delays Timeout 1 18 None Yes 2 36 1 Yes 3 54 2 Yes 4 72 3 None |
| SIO UART Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Not used (Should be 0, bit is read/write-able though) 15 Must be zero (0) for Normal/Multiplayer/UART modes |
Bit Expl. 0-1 Baud Rate (0-3: 9600,38400,57600,115200 bps) 2 CTS Flag (0=Send always/blindly, 1=Send only when SC=LOW) 3 Parity Control (0=Even, 1=Odd) 4 Send Data Flag (0=Not Full, 1=Full) (Read Only) 5 Receive Data Flag (0=Not Empty, 1=Empty) (Read Only) 6 Error Flag (0=No Error, 1=Error) (Read Only) 7 Data Length (0=7bits, 1=8bits) 8 FIFO Enable Flag (0=Disable, 1=Enable) 9 Parity Enable Flag (0=Disable, 1=Enable) 10 Send Enable Flag (0=Disable, 1=Enable) 11 Receive Enable Flag (0=Disable, 1=Enable) 12 Must be "1" for UART mode 13 Must be "1" for UART mode 14 IRQ Enable (0=Disable, 1=IRQ when any Bit 4/5/6 become set) 15 Not used (Read only, always 0) |
| SIO JOY BUS Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Must be "1" for JOY BUS Mode 15 Must be "1" for JOY BUS Mode |
Bit Expl. 0 Device Reset Flag (Command FFh) (Read/Acknowledge) 1 Receive Complete Flag (Command 14h or 15h?) (Read/Acknowledge) 2 Send Complete Flag (Command 15h or 14h?) (Read/Acknowledge) 3-5 Not used 6 IRQ when receiving a Device Reset Command (0=Disable, 1=Enable) 7-15 Not used |
Bit Expl. 0 Not used 1 Receive Status Flag (0=Remote GBA is/was receiving) (Read Only?) 2 Not used 3 Send Status Flag (1=Remote GBA is/was sending) (Read Only?) 4-5 General Purpose Flag (Not assigned, may be used for whatever purpose) 6-15 Not used |
Receive FFh (Command) Send 00h (GBA Type number LSB (or MSB?)) Send 04h (GBA Type number MSB (or LSB?)) Send XXh (lower 8bits of SIOSTAT register) |
Receive 00h (Command) Send 00h (GBA Type number LSB (or MSB?)) Send 04h (GBA Type number MSB (or LSB?)) Send XXh (lower 8bits of SIOSTAT register) |
Receive 15h (Command) Receive XXh (Lower 8bits of JOY_RECV_L) Receive XXh (Upper 8bits of JOY_RECV_L) Receive XXh (Lower 8bits of JOY_RECV_H) Receive XXh (Upper 8bits of JOY_RECV_H) Send XXh (lower 8bits of SIOSTAT register) |
Receive 14h (Command) Send XXh (Lower 8bits of JOY_TRANS_L) Send XXh (Upper 8bits of JOY_TRANS_L) Send XXh (Lower 8bits of JOY_TRANS_H) Send XXh (Upper 8bits of JOY_TRANS_H) Send XXh (lower 8bits of SIOSTAT register) |
| SIO General-Purpose Mode |
Bit Expl. 0 SC Data Bit (0=Low, 1=High) 1 SD Data Bit (0=Low, 1=High) 2 SI Data Bit (0=Low, 1=High) 3 SO Data Bit (0=Low, 1=High) 4 SC Direction (0=Input, 1=Output) 5 SD Direction (0=Input, 1=Output) 6 SI Direction (0=Input, 1=Output, but see below) 7 SO Direction (0=Input, 1=Output) 8 SI Interrupt Enable (0=Disable, 1=Enable) 9-13 Not used 14 Must be "0" for General-Purpose Mode 15 Must be "1" for General-Purpose or JOYBUS Mode |
| SIO Control Registers Summary |
R.15 R.14 S.13 S.12 Mode 0 x 0 0 Normal 8bit 0 x 0 1 Normal 32bit 0 x 1 0 Multiplay 16bit 0 x 1 1 UART (RS232) 1 0 x x General Purpose 1 1 x x JOY BUS |
Bit 0 1 2 3 4 5 6 7 8 9 10 11 Normal Master Rate SI/In SO/Out - - - Start - - - - Multi Baud Baud SI/In SD/In ID# Err Start - - - - UART Baud Baud CTS Parity S R Err Bits FIFO Parity Send Recv |
| GBA Infrared Communication |
Bit Expl. 0 Transmission Data (0=LED Off, 1=LED On) 1 READ Enable (0=Disable, 1=Enable) 2 Reception Data (0=None, 1=Signal received) (Read only) 3 AMP Operation (0=Off, 1=On) 4 IRQ Enable Flag (0=Disable, 1=Enable) 5-15 Not used |
| GBA Keypad Input |
Bit Expl. 0 Button A (0=Pressed, 1=Released) 1 Button B (etc.) 2 Select (etc.) 3 Start (etc.) 4 Right (etc.) 5 Left (etc.) 6 Up (etc.) 7 Down (etc.) 8 Button R (etc.) 9 Button L (etc.) 10-15 Not used |
Bit Expl. 0 Button A (0=Ignore, 1=Select) 1 Button B (etc.) 2 Select (etc.) 3 Start (etc.) 4 Right (etc.) 5 Left (etc.) 6 Up (etc.) 7 Down (etc.) 8 Button R (etc.) 9 Button L (etc.) 10-13 Not used 14 IRQ Enable Flag (0=Disable, 1=Enable) 15 IRQ Condition (0=Logical OR, 1=Logical AND) |
| GBA Interrupt Control |
Bit Expl. 0 Disable all interrupts (0=Disable All, 1=See IE register) 1-15 Not used |
Bit Expl. 0 LCD V-Blank (0=Disable) 1 LCD H-Blank (etc.) 2 LCD V-Counter Match (etc.) 3 Timer 0 Overflow (etc.) 4 Timer 1 Overflow (etc.) 5 Timer 2 Overflow (etc.) 6 Timer 3 Overflow (etc.) 7 Serial Communication (etc.) 8 DMA 0 (etc.) 9 DMA 1 (etc.) 10 DMA 2 (etc.) 11 DMA 3 (etc.) 12 Keypad (etc.) 13 Game Pak (external IRQ source) (etc.) 14-15 Not used |
Bit Expl. 0 LCD V-Blank (1=Request Interrupt) 1 LCD H-Blank (etc.) 2 LCD V-Counter Match (etc.) 3 Timer 0 Overflow (etc.) 4 Timer 1 Overflow (etc.) 5 Timer 2 Overflow (etc.) 6 Timer 3 Overflow (etc.) 7 Serial Communication (etc.) 8 DMA 0 (etc.) 9 DMA 1 (etc.) 10 DMA 2 (etc.) 11 DMA 3 (etc.) 12 Keypad (etc.) 13 Game Pak (external IRQ source) (etc.) 14-15 Not used |
00000018 b 128h ;IRQ vector: jump to actual BIOS handler 00000128 stmfd r13!,r0-r3,r12,r14 ;save registers to SP_irq 0000012C mov r0,4000000h ;ptr+4 to 03FFFFFC (mirror of 03007FFC) 00000130 add r14,r15,0h ;retadr for USER handler $+8=138h 00000134 ldr r15,[r0,-4h] ;jump to [03FFFFFC] USER handler 00000138 ldmfd r13!,r0-r3,r12,r14 ;restore registers from SP_irq 0000013C subs r15,r14,4h ;return from IRQ (PC=LR-4, CPSR=SPSR) |
Addr. Size Expl. 7FFCh 4 Pointer to user IRQ handler (32bit ARM code) 7FF8h 4 Interrupt Check Flag (for IntrWait/VBlankIntrWait functions) 7FF4h 4 Allocated Area 7FF0h 4 Pointer to Sound Buffer 7FE0h 16 Allocated Area 7FA0h 64 Default area for SP_svc Supervisor Stack (4 words/time) 7F00h 160 Default area for SP_irq Interrupt Stack (6 words/time) |
SP_svc=03007FE0h SP_irq=03007FA0h SP_usr=03007F00h |
| GBA System Control |
Bit Expl. 0-1 SRAM Wait Control (0..3 = 4,3,2,8 cycles) 2-3 Wait State 0 First Access (0..3 = 4,3,2,8 cycles) 4 Wait State 0 Second Access (0..1 = 2,1 cycles) 5-6 Wait State 1 First Access (0..3 = 4,3,2,8 cycles) 7 Wait State 1 Second Access (0..1 = 4,1 cycles; unlike above WS0) 8-9 Wait State 2 First Access (0..3 = 4,3,2,8 cycles) 10 Wait State 2 Second Access (0..1 = 8,1 cycles; unlike above WS0,WS1) 11-12 PHI Terminal Output (0..3 = Disable, 4.19MHz, 8.38MHz, 16.78MHz) 13 Not used 14 Game Pak Prefetch Buffer (Pipe) (0=Disable, 1=Enable) 15 Game Pak Type Flag (Read Only) (0=GBA, 1=CGB) (IN35 signal) |
Bit Expl. 0 Undocumented. First Boot Flag (0=First, 1=Further) 1-7 Undocumented. Not used. |
Bit Expl. 0-6 Undocumented. Not used. 7 Undocumented. Power Down Mode (0=Halt, 1=Stop) |
Bit Expl. 0 Disable 32K+256K WRAM (0=Normal, 1=Disable) (when off: empty/prefetch) 1-3 Unknown (Read/Write-able) 4 Unknown (Always zero, not used or write only) 5 Enable 256K WRAM (0=Disable, 1=Normal) (when off: mirror of 32K WRAM) 6-23 Unknown (Always zero, not used or write only) 24-27 Wait Control WRAM 256K (0-14 = 15..1 Waitstates, 15=Lockup) 28-31 Unknown (Read/Write-able) |
| GamePak Prefetch |
1) opcodes with internal cycles (I) which do not change R15, shift/rotate
register-by-register, load opcodes (ldr,ldm,pop,swp), multiply opcodes
2) opcodes that load/store memory (ldr,str,ldm,stm,etc.)
|
"Opcodes in GamePak ROM with Internal Cycles which do not change R15" |
| GBA Cartridges |
| GBA Cartridge Header |
Address Bytes Expl. 000h 4 ROM Entry Point (32bit ARM branch opcode, eg. "B rom_start") 004h 156 Nintendo Logo (compressed bitmap, required!) 0A0h 12 Game Title (uppercase ascii, max 12 characters) 0ACh 4 Game Code (uppercase ascii, 4 characters) 0B0h 2 Maker Code (uppercase ascii, 2 characters) 0B2h 1 Fixed value (must be 96h, required!) 0B3h 1 Main unit code (00h for current GBA models) 0B4h 1 Device type (usually 00h) 0B5h 7 Reserved Area (should be zero filled) 0BCh 1 Software version (usually 00h) 0BDh 1 Complement check (header checksum, required!) 0BEh 2 Reserved Area (should be zero filled) --- Additional Multiboot Header Entries --- 0C0h 4 RAM Entry Point (32bit ARM branch opcode, eg. "B ram_start") 0C4h 1 Boot mode (init as 00h - BIOS overwrites this value!) 0C5h 1 Slave ID Number (init as 00h - BIOS overwrites this value!) 0C6h 26 Not used (seems to be unused) 0E0h 4 JOYBUS Entry Pt. (32bit ARM branch opcode, eg. "B joy_start") |
U Unique Code (usually "A" or "B" or special meaning) TT Short Title (eg. "PM" for Pac Man) D Destination/Language (usually "J" or "E" or "P" or specific language) |
A Normal game; Older titles (mainly 2001..2003) B Normal game; Newer titles (2003..) C Normal game; Not used yet, but might be used for even newer titles F Classic NES Series (software emulated NES games) K Yoshi and Koro Koro Puzzle (acceleration sensor) P e-Reader (dot-code scanner) R Warioware Twisted (cartridge with rumble and z-axis gyro sensor) U Boktai 1 and 2 (cartridge with RTC and solar sensor) V Drill Dozer (cartridge with rumble) |
Usually an abbreviation of the game title (eg. "PM" for "Pac Man") (unless that gamecode was already used for another game, then TT is just random) |
J Japan P Europe/Elsewhere F French S Spanish E USA/English D German I Italian |
Value Expl. 01h Joybus mode 02h Normal mode 03h Multiplay mode |
Value Expl. 01h Slave #1 02h Slave #2 03h Slave #3 |
| GBA Cartridge ROM |
| GBA Cart Backup IDs |
EEPROM_Vnnn EEPROM 512 bytes or 8 Kbytes (4Kbit or 64Kbit) SRAM_Vnnn SRAM 32 Kbytes (256Kbit) FLASH_Vnnn FLASH 64 Kbytes (512Kbit) (ID used in older files) FLASH512_Vnnn FLASH 64 Kbytes (512Kbit) (ID used in newer files) FLASH1M_Vnnn FLASH 128 Kbytes (1Mbit) |
| GBA Cart Backup SRAM/FRAM |
| GBA Cart Backup EEPROM |
2 bits "11" (Read Request) n bits eeprom address (MSB first, 6 or 14 bits, depending on EEPROM) 1 bit "0" |
4 bits - ignore these 64 bits - data (conventionally MSB first) |
2 bits "10" (Write Request) n bits eeprom address (MSB first, 6 or 14 bits, depending on EEPROM) 64 bits data (conventionally MSB first) 1 bit "0" |
| GBA Cart Backup Flash ROM |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=90h (enter ID mode) dev=[E000001h], man=[E000000h] (get device & manufacturer) [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=F0h (terminate ID mode) |
dat=[E00xxxxh] (read byte from address xxxx) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=80h (erase command) [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=10h (erase entire chip) wait until [E000000h]=FFh (or timeout) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=80h (erase command) [E005555h]=AAh, [E002AAAh]=55h, [E00n000h]=30h (erase sector n) wait until [E00n000h]=FFh (or timeout) |
old=IME, IME=0 (disable interrupts) [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=A0h (erase/write sector command) [E00xxxxh+00h..7Fh]=dat[00h..7Fh] (write 128 bytes) IME=old (restore old IME state) wait until [E00xxxxh+7Fh]=dat[7Fh] (or timeout) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=A0h (write byte command) [E00xxxxh]=dat (write byte to address xxxx) wait until [E00xxxxh]=dat (or timeout) |
[E005555h]=F0h (force end of write/erase command) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=B0h (select bank command) [E000000h]=bnk (write bank number 0..1) |
ID Name Size Sectors AverageTimings Timeouts/ms Waits D4BFh SST 64K 16x4K 20us?,?,? 10, 40, 200 3,2 1CC2h Macronix 64K 16x4K ?,?,? 10,2000,2000 8,3 1B32h Panasonic 64K 16x4K ?,?,? 10, 500, 500 4,2 3D1Fh Atmel 64K 512x128 ?,?,? ...40.., 40 8,8 1362h Sanyo 128K ? ?,?,? ? ? ? ? 09C2h Macronix 128K ? ?,?,? ? ? ? ? |
| GBA Cart Backup DACS |
| GBA Cart I/O Port (GPIO) |
bit0-3 Data Bits 0..3 (0=Low, 1=High) bit4-15 not used (0) |
bit0-3 Direction for Data Port Bits 0..3 (0=In, 1=Out) bit4-15 not used (0) |
bit0 Register 80000C4h..80000C8h Control (0=Write-Only, 1=Read/Write) bit1-15 not used (0) |
GPIO | Boktai | Wario Bit Pin | RTC SOL | GYR RBL -----------+---------+--------- 0 ROM.1 | SCK CLK | RES - 1 ROM.2 | SIO RST | CLK - 2 ROM.21 | CS - | DTA - 3 ROM.22 | - FLG | - MOT -----------+---------+--------- IRQ ROM.43 | IRQ - | - - |
| GBA Cart Real-Time Clock (RTC) |
NDS_________GBA_________GBA/Params___ stat2 control (1-byte) datetime datetime (7-byte) time time (3-byte) stat1 force reset (0-byte) clkadjust force irq (0-byte) alarm1/int1 always FFh (boktai contains code for writing 1-byte to it) alarm2 always FFh (unused) free always FFh (unused) |
Bit Dir Expl. 0 - Not used 1 R/W IRQ duty/hold related? 2 - Not used 3 R/W Per Minute IRQ (30s duty) (0=Disable, 1=Enable) 4 - Not used 5 R/W Unknown? 6 R/W 12/24-hour Mode (0=12h, 1=24h) (usually 1) 7 R Power-Off (auto cleared on read) (0=Normal, 1=Failure) |
| GBA Cart Solar Sensor |
strh 0001h,[80000c8h] ;-enable R/W mode strh 0007h,[80000c6h] ;-init I/O direction strh 0002h,[80000c4h] ;-reset counter to zero (high=reset) (I/O bit0) strh 0000h,[80000c4h] ;-clear reset (low=normal) mov r0,0 ;-initial level @@lop: strh 0001h,[80000c4h] ;-clock high ;\increase counter (I/O bit1) strh 0000h,[80000c4h] ;-clock low ;/ ldrh r1,[80000c4h] ;-read port (I/O bit3) tst r1,08h ;\ addeq r0,1 ; loop until voltage match (exit with r0=00h..FFh), tsteq r0,100h ; or until failure/timeout (exit with r0=100h) beq @@lop ;/ |
E8h total darkness (including daylight on rainy days) Dxh close to a 100 Watt Bulb 5xh reaches max level in boktai's solar gauge 00h close to a tactical nuclear bomb dropped on your city |
| GBA Cart Tilt Sensor |
E008000h (W) Write 55h to start sampling E008100h (W) Write AAh to start sampling E008200h (R) Lower 8 bits of X axis E008300h (R) Upper 4 bits of X axis, and Bit7: ADC Status (0=Busy, 1=Ready) E008400h (R) Lower 8 bits of Y axis E008500h (R) Upper 4 bits of Y axis |
wait until [E008300h].Bit7=1 or until timeout ;wait ready x = ([E008300h] AND 0Fh)*100h + [E008200h] ;get x y = ([E008500h] AND 0Fh)*100h + [E008400h] ;get y [E008000h]=55h, [E008100h]=AAh ;start next conversion |
X ranged between 0x2AF to 0x477, center at 0x392. Huh? Y ranged between 0x2C3 to 0x480, center at 0x3A0. Huh? |
| GBA Cart Gyro Sensor |
GPIO.Bit0 (W) Start Conversion GPIO.Bit1 (W) Serial Clock GPIO.Bit2 (R) Serial Data GPIO.Bit3 (W) Used for Rumble (not gyro related) |
read_gyro: mov r1,8000000h ;-cartridge base address mov r0,01h ;\enable R/W access strh r0,[r1,0c8h] ;/ mov r0,0bh ;\init direction (gpio2=input, others=output) strh r0,[r1,0c6h] ;/ ldrh r2,[r1,0c4h] ;-get current state (for keeping gpio3=rumble) orr r2,3 ;\ strh r2,[r1,0c4h] ;gpio0=1 ; start ADC conversion bic r2,1 ; strh r2,[r1,0c4h] ;gpio0=0 ;/ mov r0,00010000h ;stop-bit ;\ bic r2,2 ; @@lop: ; ldrh r3,[r1,0c4h] ;get gpio2=data ; read 16 bits strh r2,[r1,0c4h] ;gpio1=0=clk=low ; (4 dummy bits, plus 12 data bits) movs r3,r3,lsr 3 ;gpio2 to cy=data ; adcs r0,r0,r0 ;merge data, cy=done; orr r3,r2,2 ;set bit1 and delay ; strh r3,[r1,0c4h] ;gpio1=1=clk=high ; bcc @@lop ;/ bic r0,0f000h ;-strip upper 4 dummy bits (isolate 12bit adc) bx lr |
354h rotated in anti-clockwise direction (shock-speed) 64Dh rotated in anti-clockwise direction (normal fast) 6A3h rotated in anti-clockwise direction (slow) 6C0h no rotation (stopped) 6DAh rotation in clockwise direction (slow) 73Ah rotation in clockwise direction (normal fast) 9E3h rotation in clockwise direction (shock-speed) |
| GBA Cart Rumble |
| GBA Cart e-Reader |
________________ | ShortStrip | |L L| |o Center o| |n Region n| |g g| | may contain | |S pictures, S| |t instructions t| |r etc. r| |i i| |p p| |___ShortStrip___| |
| GBA Cart e-Reader Overview |
| GBA Cart e-Reader I/O Ports |
0 Output to PGA.Pin93 (which seems to be not connected to anything) 1-3 Unknown, read/write-able (not used by e-Reader BIOS) 4-15 Always zero (0) |
0 Always zero (0) 1 Reset Something? (0=Normal, 1=Reset) 2 Unknown, always set (1) 3 Unknown, read/write-able (not used by e-Reader BIOS) 4-7 Always zero (0) 8 Unknown, read/write-able (not used by e-Reader BIOS) 9-15 Always zero (0) |
0-6 Max Brightness (00h..7Fh; 00h=All black, 7Fh=One or more white) 7-15 Always zero |
0-7 Max Darkness (00h..7Fh; 00h=One or more black, 7Fh=All white) 8-15 Always zero |
0-6 Block Intensity Boundaries (0..7Fh; 7Fh=Whole block gets black) 7 Always zero |
0 Serial Data (Low/High) 1 Serial Clock (Low/High) 2 Serial Direction (0=Input, 1=Output) 3 Led/Irq Enable (0=Off, 1=On; Enable LED and Gamepak IRQ) 4 Start Scan (0=Off, 1=Start) (0-to-1 --> Resync line 0) 5 Phi 16MHz Output (0=Off, 1=On; Enable Clock for Camera, and for LED) 6 Power 3V Enable (0=Off, 1=On; Enable 3V Supply for Camera) 7 Not used (always 0) (sometimes 1) (Read only) |
0 Not used (always 0) 1 Scanline Flag (1=Scanline Received, 0=Acknowledge) 2-3 Not used (always 0) 4 Strange Bit (0=Normal, 1=Force Resync/Line0 on certain interval?) 5 LED Anode Voltage (0=3.0V, 1=5.1V; requires E00FFB0h.Bit3+5 to be set) 6 Not used (always 0) 7 Input from PGA.Pin22, always high (not used by e-Reader) (Read Only) |
Port Expl. (e-Reader Setting) 00h Maybe Chip ID (12h) (not used by e-Reader BIOS) (Read Only) 01h (05h) ;-Bit0: 1=auto-repeat scanning? 02h (0Eh) 10h-11h Vertical Scroll (calib_data[30h]+7) 12h-13h Horizontal Scroll (0030h) 14h-15h Vertical Size (00F6h=246) 16h-17h Horizontal Size (0140h=320) 20h-21h H-Blank Duration (00C4h) 22h-23h (0400h) ;-Upper-Blanking in dot-clock units? 25h (var) ;-bit1: 0=enable [57h..5Ah] ? 26h (var) ;\maybe a 16bit value 27h (var) ;/ 28h (00h) 30h Brightness/contrast (calib_data[31h]+/-nn) 31h-33h (014h,014h,014h) 34h Brightness/contrast (02h) 50h-52h 8bit Read/Write (not used by e-Reader BIOS) 53h-55h 2bit Read/Write (not used by e-Reader BIOS) 56h 8bit Read/Write (not used by e-Reader BIOS) 57h-58h 16bit value, used to autodetect/adjust register[30h] (Read Only) 59h-5Ah 16bit value, used to autodetect/adjust register[30h] (Read Only) 80h-FFh Mirrors of 00h..7Fh (not used by e-Reader BIOS) |
Port Expl. (e-Reader Setting) 00h (22h) 01h (50h) 02h-03h Vertical Scroll (calib_data[30h]+28h) 04h-05h Horizontal Scroll (001Eh) 06h-07h Vertical Size (00F6h) ;=246 08h-09h Horizontal Size (0140h) ;=320 0Ah-0Ch (not used by e-Reader BIOS) 0Dh (01h) 0Eh-0Fh (01EAh) ;=245*2 10h-11h (00F5h) ;=245 12h-13h (20h,F0h) ;maybe min/max values? 14h-15h (31h,C0h) ;maybe min/max values? 16h (00h) 17h-18h (77h,77h) 19h-1Ch (30h,30h,30h,30h) 1Dh-20h (80h,80h,80h,80h) 21h-FFh (not used by e-Reader BIOS) |
E00D000 14h ID String ('Card-E Reader 2001',0,0)
E00D014 2 Sector Checksum (NOT(x+x/10000h); x=sum of all other halfwords)
|
E00D016 8x6 [00h] Intensity Boundaries for 8x6 blocks ;see E00FF80h..AFh E00D046 1 [30h] Vertical scroll (0..36h) ;see type1.reg10h/type2.reg02h E00D047 1 [31h] Brightness or contrast ;see type1.reg30h E00D048 2 [32h] LED Duration ;see E00FFB2h..B3h E00D04A 2 [34h] Not used? (0000h) E00D04C 2 [36h] Signed value, related to adjusting the 8x6 blocks E00D04E 4 [38h] Not used? (00000077h) E00D052 4 [3Ch] Camera Type (0=none,1=DV488800,2=Whatever?) |
E00D056 FAAh Not used (zerofilled) (included in above checksum) |
call ereader_power_on call ereader_initialize for z=1 to number_of_frames for y=0 to 245 Wait until E00FFB1h.Bit1 gets set by hardware (can be handled by IRQ) Copy 14h halfwords from DFC0000h to buf+y*28h via DMA3 Reset E00FFB1h.Bit1 by software next y ;(could now check DFC0028h..DFC0086h/DFC0088h for adjusting E00FF00h..2Fh) ;(could now show image on screen, that may require to stop/pause scanning) next z call ereader_power_off Ret |
[4000204h]=5803h ;Init waitstates, and enable Phi 16MHz [DFA0000h].Bit1=1 Wait(10ms) [E00FFB0h]=40h ;Enable Power3V and reset other bits [DFA0000h].Bit1=0 [E00FFB1h]=20h ;Enable Power5V and reset other bits Wait(40ms) [E00FFB1h].Bit4=0 ;...should be already 0 ? [E00FFB0h]=40h+27h ;Phi16MHz=On, SioDtaClkDir=HighHighOut Ret |
[E00FFB0h]=04h ;Power3V=Off, Disable Everything, SioDtaClkDir=LowLowOut [DFA0000h].Bit1=0 ;...should be already 0 [E00FFB1h].Bit5=0 ;Power5V=Off Ret |
IF calib_data[3Ch] AND 03h = 1 THEN init_camera_type1 [E00FFB0h].Bit4=1 ;ScanStart IF calib_data[3Ch] AND 03h = 2 THEN init_camera_type2 Copy calib_data[00h..2Fh] to [E00FF80h+00h..2Fh] ;Intensity Boundaries Copy calib_data[32h..33h] to [E00FFB2h+00h..01h] ;LED Duration LSB,MSB [E00FFB0h].Bit3=1 ;LedIrqOn Ret |
x=MIN(0,calib_data[31h]-0Bh) Set Sio Registers (as shown for Camera Type 1, except below values...) Set Sio Registers [30h]=x [25h]=04h, [26h]=58h, [27h]=6Ch ;(could now detect/adjust <x> based on Sio Registers [57h..5Ah]) Set Sio Registers [30h]=x [25h]=06h, [26h]=E8h, [27h]=6Ch Ret |
Wait(0.5ms) Set Sio Registers (as shown for Camera Type 2) Ret |
Begin Write(A) Write(B) Read(C) Read(D) End Idle PwrOff Dir ooooooo ooooooo ooooooo iiiiiii iiiiiii ooooooo ooooooo ooooooo Dta ---____ AAAAAAA BBBBBBB xxxxxCx xxxxxDx ______- ------- _______ Clk ------_ ___---_ ___---_ ___---_ ___---_ ___---- ------- _______ |
Delay: Wait circa 2.5us, Ret SioBegin: SioDta=1, SioDir=Out, SioClk=1, Delay, SioDta=0, Delay, SioClk=0, Ret SioEnd: SioDta=0, SioDir=Out, Delay, SioClk=1, Delay, SioDta=1, Ret SioRead1bit: ;out: databit SioDir=In, Delay, SioClk=1, Delay, databit=SioDta, SioClk=0, Ret SioWrite1bit: ;in: databit SioDta=databit, SioDir=Out, Delay, SioClk=1, Delay, SioClk=0, Ret SioReadByte: ;in: endflag - out: data for i=7 to 0, data.bit<i>=SioRead1bit, next i, SioWrite1bit(endflag), Ret SioWriteByte: ;in: data - out: errorflag for i=7 to 0, Delay(huh/why?), SioWrite1bit(data.bit<i>), next i errorflag=SioRead1bit, SioDir=Out(huh/why?), Ret SioWriteRegisters: ;in: index, len, buffer SioBegin SioWriteByte(22h) ;command (set_index) (and write_data) SioWriteByte(index) ;index for i=0 to len-1 SioWriteByte(buffer[i]) ;write data (and auto-increment index) next SioEnd ret SioReadRegisters: ;in: index, len - out: buffer SioBegin SioWriteByte(22h) ;command (set_index) (without any write_data here) SioWriteByte(index) ;index SioBegin SioWriteByte(23h) ;command (read_data) (using above index) for i=0 to len-1 if i=len-1 then endflag=1 else endflag=0 buffer[i]=SioReadByte(endflag) ;read data (and auto-increment index) next SioEnd Ret |
C000000h-C7FFFFFh ROM (8MB) C800000h-DF7FFFFh Open Bus DF80000h-DF80001h Useless Register (R/W) DF80002h-DF9FFFFh Mirrors of DF80000h-DF80001h DFA0000h-DFA0001h Reset Register (R/W) DFA0002h-DFBFFFFh Mirrors of DFA0000h-DFA0001h DFC0000h-DFC0027h Scanline Data (320 Pixels) (R) DFC0028h-DFC0087h Brightest Pixels of 8x6 Blocks (R) DFC0088h Darkest Pixel of whole Image (R) DFC0089h-DFC00FFh Always zero DFC0100h-DFDFFFFh Mirrors of DFC0000h-DFC00FFh DFE0000h-DFFFFFFh Open Bus E000000h-E00CFFFh FLASH Bank 0 - Data E00D000h-E00DFFFh FLASH Bank 0 - Calibration Data E00E000h-E00EFFFh FLASH Bank 0 - Copy of Calibration Data E00F000h-E00FF7Fh FLASH Bank 0 - Unused region E000000h-E00EFFFh FLASH Bank 1 - Data E00F000h-E00FF7Fh FLASH Bank 1 - Unused region E00FF80h-E00FFAFh Intensity Boundaries for 8x6 Blocks (R/W) E00FFB0h Control Register 0 (R/W) E00FFB1h Control Register 1 (R/W) E00FFB2h-E00FFB3h LED Duration (16bit) (R/W) E00FFB4h-E00FFBFh Always zero E00FFC0h-E00FFFFh Mirror of E00FF80h-E00FFBFh |
Actual Shape Scanned Shape
XXXXX X X
XXXXXXX X X X
XXXXXXXXX X X X XX
XXXXXXXXX X X X XX
XXXXXXX XXXXXXX
XXXXX XXXXX
|
| GBA Cart e-Reader Dotcode Format |
XXX BLOCK 1 XXX BLOCK 2 XXX
XXXXX XXXXX XXXXX
XXXXX X X X X X X X X X X X X XXXXX X X X X X X X X X X X X XXXXX
XXXXX XXXXX XXXXX
XXX HHHHHHHHHHHHHHHHHHHH...... XXX HHHHHHHHHHHHHHHHHHHH...... XXX
.......................... ..........................
...... 3 short lines ..... ..........................
A..................................A..................................A..
A.... 26 long lines ....A........ X = Sync Marks ........A..
A.... (each 34 data dots) ....A........ H = Block Header ........A..
A....(not all lines shown here)....A........ . = Data Bits ........A..
A..................................A........ A = Address Bits ........A..
...... 3 short lines ..... ..........................
...(each 26 data dots).... ..........................
XXX .......................... XXX .......................... XXX
XXXXX XXXXX XXXXX
XXXXX X X X X X X X X X X X X XXXXX X X X X X X X X X X X X XXXXX
XXXXX XXXXX XXXXX
XXX XXX XXX
<ca. 35 blank lines>
___Snip____________________________________________________________________
|
addr[0] = 03FFh
for i = 1 to 53
addr[i] = addr[i-1] xor ((i and (-i)) * 769h)
if (i and 07h)=0 then addr[i] = addr[i] xor (769h)
if (i and 0Fh)=0 then addr[i] = addr[i] xor (769h*2)
if (i and 1Fh)=0 then addr[i] = addr[i] xor (769h*4) xor (769h)
next i
|
00h Unknown (00h)
01h Dotcode type (02h=Short, 03h=Long)
02h Unknown (00h)
03h Address of 1st Block (01h=Short, 19h=Long)
04h Total Fragment Size (40h) ;64 bytes per fragment, of which,
;48 bytes are actual data, the remaining
05h Error-Info Size (10h) ;16 bytes are error-info
06h Unknown (00h)
07h Interleave Value (1Ch=Short, 2Ch=Long)
08h..17h 16 bytes Reed-solomon error correction info for Block Header
|
4bit 00h 01h 02h 03h 04h 05h 06h 07h 08h 09h 0Ah 0Bh 0Ch 0Dh 0Eh 0Fh 5bit 00h 01h 02h 12h 04h 05h 06h 16h 08h 09h 0Ah 14h 0Ch 0Dh 11h 10h |
RAW Offset Content 000h..001h 1st 2 bytes of RAW Header 002h 1st byte of 1st fragment 003h 1st byte of 2nd fragment ... ... 002h+I-1 1st byte of last fragment 002h+I 2nd byte of 1st fragment 003h+I 2nd byte of 2nd fragment ... ... 002h+I*2-1 2nd byte of last fragment ... ... |
| GBA Cart e-Reader Data Format |
Data Header (48 bytes) Main-Title (17 bytes, or 33 bytes) Sub-Title(s) (3+18 bytes, or 33 bytes) (for each strip) (optional) VPK Size (2 byte value, total length of VPK Data in ALL strips) NULL Value (4 bytes, contained ONLY in 1st strip of GBA strips) VPK Data (length as defined in VPK Size entry, see above) |
Data Header (48 bytes) Main-Title (17 bytes, or 33 bytes) Sub-Title(s) (3+18 bytes, or 33 bytes) (for each strip) (optional) VPK Data (continued from previous strip) |
00h-01h Fixed (00h,30h)
02h Fixed (01h) ;01h="Do not calculate Global Checksum" ?
03h Primary Type (see below)
04h-05h Fixed (00h,01h) (don't care)
06h-07h Strip Size (0510h=Short, 0810h=Long Strip) ((I-1)*30h) (MSB,LSB)
08h-0Bh Fixed (00h,00h,10h,12h)
0Ch-0Dh Region/Type (see below)
0Eh Strip Type (02h=Short Strip, 01h=Long Strip) (don't care)
0Fh Fixed (00h) (don't care)
10h-11h Unknown (whatever) (don't care)
12h Fixed (10h) ;10h="Do calculate Data Checksum" ?
13h-14h Data Checksum (see below) (MSB,LSB)
15h-19h Fixed (19h,00h,00h,00h,08h)
1Ah-21h ID String ('NINTENDO')
22h-25h Fixed (00h,22h,00h,09h)
26h-29h Size Info (see below)
2Ah-2Dh Flags (see below)
2Eh Header Checksum (entries [0Ch-0Dh,10h-11h,26h-2Dh] XORed together)
2Fh Global Checksum (see below)
|
0 Card Type (upper bit) (see below) 1 Unknown (usually opposite of Bit0) (don't care) 2-7 Unknown (usually zero) |
0-3 Unknown (don't care) 4-7 Card Type (lower bits) (see below) 8-11 Region/Version (0=Japan/Original, 1=Non-japan, 2=Japan/Plus) 12-15 Unknown (don't care) |
0 Unknown (don't care)
1-4 Strip Number (01h..Number of strips)
5-8 Number of Strips (01h..0Ch) (01h..08h for Japan/Original version)
9-23 Size of all Strips (excluding Headers and Main/Sub-Titles)
(same as "VPK Size", but also including the 2-byte "VPK Size" value,
plus the 4-byte NULL value; if it is present)
24-31 Fixed (02h) (don't care)
|
0 Permission to save (0=Start Immediately, 1=Prompt for FLASH Saving) 1 Sub-Title Flag (0=Yes, 1=None) (Japan/Original: always 0=Yes) 2 Application Type (0=GBA/Z80, 1=NES) (Japan/Original: always 0=Z80) 3-31 Zero (0) (don't care) |
Bit Expl.
0-3 h1, values 1..15 shown as "10..150", value 0 is not displayed
4-6 i3, values 0..7 shown as "A..G,#"
7-13 i2, values 0..98 shown as "01..99" values 99..127 as "A0..C8"
14-18 i1, values 0..31 shown as "A..Z,-,_,{HP},.,{ID?},:"
19-22 Unknown
23 Disable stats (0=Show as "HP: h1 ID: i1-i2-i3", 1=Don't show it)
|
00h --> end-byte 81h,40h --> SPC 81h,43h..97h --> punctuation marks 82h,4Fh..58h --> "0..9" 82h,60h..79h --> "A..Z" 82h,81h..9Ah --> "a..z" |
00 = end-byte
01 = spc
02..0B = 0..9
0C..AF = japanese
B0..B4 = dash, male, female, comma, round-dot
B5..C0 = !"%&~?/+-:.'
C1..DA = A..Z
DB..DF = unused (blank)
E0..E5 = japanese
E6..FF = a..z
N/A = #$()*;<=>@[\]^_`{|}
|
00h..01h Blank Screen (?) 02h..03h Dotcode Application with 17byte-title, with stats, load music A 04h..05h Dotcode Application with 17byte-title, with stats, load music B 06h..07h P-Letter Attacks 08h..09h Construction Escape 0Ah..0Bh Construction Action 0Ch..0Dh Construction Melody Box 0Eh Dotcode Application with 33byte-title, without stats, load music A 0Fh Game specific cards 10h..1Dh P-Letter Viewer 1Eh..1Fh Same as 0Eh and 0Fh (see above) |
| GBA Cart e-Reader Program Code |
IF e-Reader is Non-Japanese, AND [2000008h] is outside of range of 2000000h..20000E3h, AND only if booted from camera (not when booted from FLASH?), THEN [2000008h]=[2000008h]-0001610Ch ELSE [2000008h] kept intact |
Store "B 20000C0h" at 2000000h ;redirect to RAM-entrypoint Zerofill 2000004h..20000BFh ;erase header (for better compression rate) Store 01h,01h at 20000C4h ;indicate RAM boot |
http://nocash.emubase.de/everynes.htm |
for i=17h to 0 for j=07h to 0, nmi = nmi shr 1, if carry then nmi = nmi xor 8646h, next j nmi = nmi xor (byte[dmca_data+i] shl 8) next i dmca_data: db 0,0,'DMCA NINTENDO E-READER' |
Bit0-14 Lower bits of Entrypoint (0..7FFFh = Address 8000h..FFFFh) Bit15 Nametable Mode (0=Vertical Mirroring, 1=Horizontal Mirroring) |
(NES limitations, 1 16K program rom + 1-2 8K CHR rom, mapper 0 and 1) ines mapper 1 would be MMC1, rather than CNROM (ines mapper 3)? but, there are more or less NONE games that have 16K PRG ROM + 16K VROM? |
CB [Prefix] E0 RET PO E2 JP PO,nn E4 CALL PO,nn 27 DAA 76 HALT ED [Prefix] E8 RET PE EA JP PE,nn EC CALL PE,nn D3 OUT (n),A DD [IX Prefix] F3 DI 08 EX AF,AF' F4 CALL P,nn DB IN A,(n) FD [IY Prefix] FB EI D9 EXX FC CALL M,nn xx RST 00h..38h |
76 WAIT A frames, D3 WAIT n frames, and C7/CF RST 0/8 used for API calls. |
retry: ld bc,data // ld hl,00c8h ;src/dst lop: ld a,[bc] // inc bc // ld e,a ;lsb ld a,[bc] // inc bc // ld d,a ;msb dw 0bcfh ;aka rst 8 // db 0bh ;[4000000h+hl]=de inc hl // inc hl // ld a,l cp a,0dch // jr nz,lop mod1 equ $+1 dw 37cfh ;aka rst 8 // db 37h ;bx 3E700F0h ;below executed only on jap/plus... on jap/plus, above 37cfh is hl=[400010Ch] ld a,3Ah // ld [mod1],a ;bx 3E700F0h (3Ah instead 37h) ld hl,1 // ld [mod2],hl // ld [mod3],hl ;base (0200010Ch instead 0201610Ch) jr retry data: mod2 equ $+1 dd loader ;40000A4h dma2sad (loader) dd 030000F0h ;40000A8h dma2dad (mirrored 3E700F0h) dd 8000000ah ;40000ACh dma2cnt (copy 0Ah x 16bit) mod3 equ $+1 dd main ;40000B0h dma3sad (main) dd 02000000h ;40000B4h dma3dad (2000000h) org $+201600ch ;jap/plus: adjusted to org $+200000ch .align 2 ;alignment for 16bit-halfword loader: mov r0,80000000h ;(dma3cnt, copy 10000h x 16bit) mov r1,04000000h ;i/o base strb r1,[r1,208h] ;ime=0 (better disable ime before moving ram) str r0,[r1,0DCh] ;dma3cnt (relocate to 2000000h) mov r15,2000000h ;start relocated code at 2000000h in ARM state main: ;...insert/append whatever ARM code here... end |
| GBA Cart e-Reader API Functions |
db 76h ;Wait8bit A db D3h,xxh ;Wait8bit xxh db C7h,xxh ;RST0_xxh db CFh,xxh ;RST8_xxh ld r,[00xxh] ;get system values (addresses differ on jap/ori) ld r,[00C2h..C3h] ;GetKeyStateSticky (jap/ori: 9F02h..9F03h) ld r,[00C4h..C5h] ;GetKeyStateRaw (jap/ori: 9F04h..9F05h) ld r,[00C0h..C1h] ;see Exit and ExitRestart ld r,[00D0h..D3h] ;see Mul16bit |
bx [30075FCh] ;ApiVector ;in: r0=func_no,r1,r2,r3,[sp+0],[sp+4],[sp+8]=params bx lr ;Exit ;in: r0 (0=Restart, 2=To_Menu) |
RST0_00h FadeIn, A speed, number of frames (0..x)
RST0_01h FadeOut
RST0_02h BlinkWhite
RST0_03h (?)
RST0_04h (?) blend_func_unk1
RST0_05h (?)
RST0_06h (?)
RST0_07h (?)
RST0_08h (?)
RST0_09h (?) _020264CC_check
RST0_0Ah (?) _020264CC_free
RST0_0Bh N/A (bx 0)
RST0_0Ch N/A (bx 0)
RST0_0Dh N/A (bx 0)
RST0_0Eh N/A (bx 0)
RST0_0Fh N/A (bx 0)
RST0_10h LoadSystemBackground, A number of background (1..101), E bg# (0..3)
RST0_11h SetBackgroundOffset, A=bg# (0..3), DE=X, BC=Y
RST0_12h SetBackgroundAutoScroll
RST0_13h SetBackgroundMirrorToggle
RST0_14h (?)
RST0_15h (?)
RST0_16h (?) write_000000FF_to_02029494_
RST0_17h (?)
RST0_18h (?)
RST0_19h SetBackgroundMode, A=mode (0..2)
RST0_1Ah (?)
RST0_1Bh (?)
RST0_1Ch (?)
RST0_1Dh (?)
RST0_1Eh (?)
RST0_1Fh (?)
RST0_20h LayerShow
RST0_21h LayerHide
RST0_22h (?)
RST0_23h (?)
RST0_24h ... [20264DCh+A*20h+1Ah]=DE, [20264DCh+A*20h+1Ch]=BC
RST0_25h (?)
RST0_26h (?)
RST0_27h (?)
RST0_28h (?)
RST0_29h (?)
RST0_2Ah (?)
RST0_2Bh (?)
RST0_2Ch (?)
RST0_2Dh LoadCustomBackground, A bg# (0..3), DE pointer to struct_background,
max. tile data size = 3000h bytes, max. map data size = 1000h bytes
RST0_2Eh GBA: N/A - Z80: (?)
RST0_2Fh (?)
RST0_30h CreateSystemSprite, - - (what "- -" ???)
RST0_31h SpriteFree, HL sprite handle
RST0_32h SetSpritePos, HL=sprite handle, DE=X, BC=Y
RST0_33h (?) sprite_unk2
RST0_34h SpriteFrameNext
RST0_35h SpriteFramePrev
RST0_36h SetSpriteFrame, HL=sprite handle, E=frame number (0..x)
RST0_37h (?) sprite_unk3
RST0_38h (?) sprite_unk4
RST0_39h SetSpriteAutoMove, HL=sprite handle, DE=X, BC=Y
RST0_3Ah (?) sprite_unk5
RST0_3Bh (?) sprite_unk6
RST0_3Ch SpriteAutoAnimate
RST0_3Dh (?) sprite_unk7
RST0_3Eh SpriteAutoRotateUntilAngle
RST0_3Fh SpriteAutoRotateByAngle
RST0_40h SpriteAutoRotateByTime
RST0_41h (?) sprite_unk8
RST0_42h SetSpriteAutoMoveHorizontal
RST0_43h SetSpriteAutoMoveVertical
RST0_44h (?) sprite_unk9
RST0_45h SpriteDrawOnBackground
RST0_46h SpriteShow, HL=sprite handle
RST0_47h SpriteHide, HL=sprite handle
RST0_48h SpriteMirrorToggle
RST0_49h (?) sprite_unk10
RST0_4Ah (?) sprite_unk11
RST0_4Bh (?) sprite_unk12
RST0_4Ch GetSpritePos
RST0_4Dh CreateCustomSprite
RST0_4Eh (?)
RST0_4Fh (?) sprite_unk14
RST0_50h (?) sprite_unk15
RST0_51h (?) sprite_unk16
RST0_52h (?) sprite_unk17
RST0_53h (?) sprite_unk18
RST0_54h (?)
RST0_55h (?) sprite_unk20
RST0_56h (?)
RST0_57h SpriteMove
RST0_58h (?) sprite_unk22
RST0_59h (?) sprite_unk23
RST0_5Ah (?) sprite_unk24
RST0_5Bh SpriteAutoScaleUntilSize, C=speed (higher value is slower),
HL=sprite handle, DE=size (0100h = normal size,
lower value = larger, higher value = smaller)
RST0_5Ch SpriteAutoScaleBySize
RST0_5Dh SpriteAutoScaleWidthUntilSize
RST0_5Eh SpriteAutoScaleHeightBySize
RST0_5Fh (?)
RST0_60h (?)
RST0_61h (?)
RST0_62h (?)
RST0_63h (?)
RST0_64h hl=[[2024D28h+a*4]+12h]
RST0_65h (?) sprite_unk25
RST0_66h SetSpriteVisible, HL=sprite handle, E=(0=not visible, 1=visible)
RST0_67h (?) sprite_unk26
RST0_68h (?) set_sprite_unk27
RST0_69h (?) get_sprite_unk27
RST0_6Ah (?)
RST0_6Bh (?)
RST0_6Ch (?)
RST0_6Dh (?)
RST0_6Eh hl=[hl+000Ah] ;r0=[r1+0Ah]
RST0_6Fh (?)
RST0_70h (?)
RST0_71h (?)
RST0_72h (?)
RST0_73h (?)
RST0_74h (?)
RST0_75h (?)
RST0_76h (?)
RST0_77h (?)
RST0_78h (?)
RST0_79h (?)
RST0_7Ah (?)
RST0_7Bh (?)
RST0_7Ch (?) _0202FD2C_unk12
RST0_7Dh Wait16bit ;HL=num_frames (16bit variant of Wait8bit opcode/function)
RST0_7Eh SetBackgroundPalette, HL=src_addr, DE=offset, C=num_colors (1..x)
RST0_7Fh GetBackgroundPalette(a,b,c)
RST0_80h SetSpritePalette, HL=src_addr, DE=offset, C=num_colors (1..x)
RST0_81h GetSpritePalette(a,b,c)
RST0_82h ClearPalette
RST0_83h (?) _0202FD2C_unk11
RST0_84h (?)
RST0_85h (?)
RST0_86h (?)
RST0_87h (?) _0202FD2C_unk8
RST0_88h (?) _0202FD2C_unk7
RST0_89h (?)
RST0_8Ah (?) _0202FD2C_unk6
RST0_8Bh (?) _0202FD2C_unk5
RST0_8Ch GBA: N/A - Z80: (?)
RST0_8Dh GBA: N/A - Z80: (?)
RST0_8Eh (?)
RST0_8Fh WindowHide
RST0_90h CreateRegion, H=bg# (0..3), L=palbank# (0..15),
D,E,B,C=x1,y1,cx,cy (in tiles), return: n/a (no$note: n/a ???)
RST0_91h SetRegionColor
RST0_92h ClearRegion
RST0_93h SetPixel
RST0_94h GetPixel
RST0_95h DrawLine
RST0_96h DrawRect
RST0_97h (?) _0202FD2C_unk4
RST0_98h SetTextColor, A=region handle, D=color foreground (0..15),
E=color background (0..15)
RST0_99h DrawText, A=region handle, BC=pointer to text, D=X, E=Y
(non-japan uses ASCII text, but japanese e-reader's use STH ELSE?)
RST0_9Ah SetTextSize
RST0_9Bh (?) RegionUnk7
RST0_9Ch (?) _0202FD2C_unk3
RST0_9Dh (?) _0202FD2C_unk2
RST0_9Eh (?) _0202FD2C_unk1
RST0_9Fh Z80: (?) - GBA: SetBackgroundModeRaw
RST0_A0h (?)
RST0_A1h (?)
RST0_A2h (?) RegionUnk6
RST0_A3h GBA: N/A - Z80: (?)
RST0_A4h GBA: N/A - Z80: (?)
RST0_A5h (?)
RST0_A6h (?)
RST0_A7h (?)
RST0_A8h (?)
RST0_A9h (?)
RST0_AAh (?)
RST0_ABh (?)
RST0_ACh (?)
RST0_ADh (?) RegionUnk5
RST0_AEh [202FD2Ch+122h]=A
RST0_AFh [202FD2Ch+123h]=A
RST0_B0h [202FD2Ch+124h]=A
RST0_B1h (?)
RST0_B2h (?)
RST0_B3h GBA: N/A - Z80: Sqrt ;hl=sqrt(hl)
RST0_B4h GBA: N/A - Z80: ArcTan ;hl=ArcTan2(hl,de)
RST0_B5h Sine ;hl=sin(a)*de
RST0_B6h Cosine ;hl=cos(a)*de
RST0_B7h (?)
RST0_B8h (?)
RST0_B9h N/A (bx 0)
RST0_BAh N/A (bx 0)
RST0_BBh N/A (bx 0)
RST0_BCh N/A (bx 0)
RST0_BDh N/A (bx 0)
RST0_BEh N/A (bx 0)
RST0_BFh N/A (bx 0)
Below Non-Japan and Japan/Plus only (not Japan/Ori)
RST0_C0h GetTextWidth(a,b)
RST0_C1h GetTextWidthEx(a,b,c)
RST0_C2h (?)
RST0_C3h Z80: N/A (bx 0) - GBA: (?)
RST0_C4h (?)
RST0_C5h (?)
RST0_C6h (?)
RST0_C7h (?)
RST0_C8h (?)
RST0_C9h (?)
RST0_CAh (?)
RST0_CBh (?)
RST0_CCh (?)
RST0_CDh N/A (bx lr)
RST0_CEh ;same as RST0_3Bh, but with 16bit mask
RST0_CFh ;same as RST0_3Eh, but with 16bit de
RST0_D0h ;same as RST0_3Fh, but with 16bit de
RST0_D1h ;same as RST0_5Bh, but with 16bit de
RST0_D2h ;same as RST0_5Ch, but with 16bit de
RST0_D3h ;same as RST0_5Dh, but with 16bit de
RST0_D4h ;same as RST0_5Eh, but with 16bit de
RST0_D5h (?)
RST0_D6h (?)
RST0_D7h ;[202FD2Ch+125h]=A
RST0_D8h (?)
RST0_D9h (?)
RST0_DAh (?)
RST0_DBh ;A=[3003E51h]
RST0_DCh ;[3004658h]=01h
RST0_DDh DecompressVPKorNonVPK
RST0_DEh FlashWriteSectorSingle(a,b)
RST0_DFh FlashReadSectorSingle(a,b)
RST0_E0h SoftReset
RST0_E1h GetCartridgeHeader ;[hl+0..BFh]=[8000000h..80000BFh]
RST0_E2h GBA: N/A - Z80: bx hl ;in: hl=addr, af,bc,de,sp=param, out: a
RST0_E3h Z80: N/A (bx 0) - GBA: (?)
RST0_E4h (?)
RST0_E5h (?)
RST0_E6h (?)
RST0_E7h (?)
RST0_E8h (?)
RST0_E9h ;[2029498h]=0000h
RST0_EAh Z80: N/A (bx 0) - GBA: InitMemory(a)
RST0_EBh (?) BL_irq_sio_dma3
RST0_ECh ;hl = [3003E30h]*100h + [3003E34h]
RST0_EDh FlashWriteSectorMulti(a,b,c)
RST0_EEh FlashReadPart(a,b,c)
RST0_EFh ;A=((-([2029416h] xor 1)) OR (+([2029416h] xor 1))) SHR 31
RST0_F0h (?) _unk1
RST0_F1h RandomInit ;in: hl=random_seed
RST0_F2h (?)
Below Japan/Plus only
RST0_F3h (?)
RST0_F4h (?)
RST0_F5h (?)
RST0_F6h (?)
RST0_F7h GBA: N/A - Z80: (?)
Below is undefined/garbage (values as so in Z80 mode)
Jap/Ori: RST0_C0h N/A (bx 0)
Jap/Ori: RST0_C1h..FFh Overlaps RST8 jump list
Non-Jap: RST0_F3h..FFh Overlaps RST8 jump list
Jap/Pls: RST0_F8h..FFh Overlaps RST8 jump list
|
RST8_00h GBA: N/A - Z80: Exit ;[00C0h]=a ;(1=restart, 2=exit) RST8_01h GBA: N/A - Z80: Mul8bit ;hl=a*e RST8_02h GBA: N/A - Z80: Mul16bit ;hl=hl*de, s32[00D0h]=hl*de RST8_03h Div ;hl=hl/de RST8_04h DivRem ;hl=hl mod de RST8_05h PlaySystemSound ;in: hl=sound_number RST8_06h (?) sound_unk1 RST8_07h Random8bit ;a=random(0..FFh) RST8_08h SetSoundVolume RST8_09h BcdTime ;[de+0..5]=hhmmss(hl*bc) RST8_0Ah BcdNumber ;[de+0..4]=BCD(hl), [de+5]=00h RST8_0Bh IoWrite ;[4000000h+hl]=de RST8_0Ch IoRead ;de=[4000000h+hl] RST8_0Dh GBA: N/A - Z80: (?) RST8_0Eh GBA: N/A - Z80: (?) RST8_0Fh GBA: N/A - Z80: (?) RST8_10h GBA: N/A - Z80: (?) RST8_11h DivSigned ;hl=hl/de, signed RST8_12h RandomMax ;a=random(0..a-1) RST8_13h SetSoundSpeed RST8_14h hl=[202FD20h]=[2024CACh] RST8_15h hl=[2024CACh]-[202FD20h] RST8_16h SoundPause RST8_17h SoundResume RST8_18h PlaySystemSoundEx RST8_19h IsSoundPlaying RST8_1Ah (?) RST8_1Bh (?) RST8_1Ch (?) RST8_1Dh GetExitCount ;a=[2032D34h] RST8_1Eh Permille ;hl=de*1000/hl RST8_1Fh GBA: N/A - Z80: ExitRestart;[2032D38h]=a, [00C0h]=0001h ;a=? RST8_20h GBA: N/A - Z80: WaitJoypad ;wait until joypad<>0, set hl=joypad RST8_21h GBA: N/A - Z80: (?) RST8_22h (?) _sound_unk7 RST8_23h (?) _sound_unk8 RST8_24h (?) _sound_unk9 RST8_25h (?) _sound_unk10 RST8_26h Mosaic ;bg<n>cnt.bit6=a.bit<n>, [400004Ch]=de RST8_27h (?) RST8_28h (?) RST8_29h (?) RST8_2Ah (?) get_8bit_from_2030110h RST8_2Bh (?) RST8_2Ch (?) get_16bit_from_2030112h ;jap/ori: hl=[20077B2h] RST8_2Dh (?) get_16bit_from_2030114h ;jap/ori: hl=[20077B4h] RST8_2Eh (?) RST8_2Fh PlayCustomSound(a,b) Below not for Japanese/Original (the renumbered functions can be theoretically used on japanese/original) (but, doing so would blow forwards compatibility with japanese/plus) RST8_30h (ori: none) GBA: N/A - Z80: (?) RST8_31h (ori: none) PlayCustomSoundEx(a,b,c) RST8_32h (ori: RST8_30h) BrightnessHalf ;[4000050h]=00FFh,[4000054h]=0008h RST8_33h (ori: RST8_31h) BrightnessNormal ;[4000050h]=0000h RST8_34h (ori: RST8_32h) N/A (bx lr) RST8_35h (ori: RST8_33h) (?) RST8_36h (ori: RST8_34h) ResetTimer ;[400010Ch]=00000000h, [400010Eh]=A+80h RST8_37h (ori: RST8_35h) GetTimer ;hl=[400010Ch] RST8_38h (ori: none) GBA: N/A - Z80: (?) Below is undefined/reserved/garbage (values as so in Z80 mode) (can be used to tweak jap/ori to start GBA-code from inside of Z80-code) (that, after relocating code to 3000xxxh via DMA via IoWrite function) RST8_39h (ori: RST8_36h) bx 0140014h RST8_3Ah (ori: RST8_37h) bx 3E700F0h RST8_3Bh (ori: RST8_38h) bx 3E70000h+1 RST8_3Ch (ori: RST8_39h) bx 3E703E6h+1 RST8_3Dh (ori: RST8_3Ah) bx 3E703E6h+1 RST8_3Eh (ori: RST8_3Bh) bx 3E703E6h+1 RST8_3Fh (ori: RST8_3Ch) bx 3E703E6h+1 40h-FFh (ori: 3Dh-FFh) bx ... |
RSTX_00h Wait8bit ;for 16bit: RST0_7Dh RSTX_01h GetKeyStateSticky() RSTX_02h GetKeyStateRaw() RSTX_03h (?) RSTX_04h (?) |
| GBA Cart e-Reader VPK Decompression |
collected32bit=80000000h ;initially empty (endflag in bit31)
for i=0 to 3, id[i]=read_bits(8), next i, if id[0..3]<>'vpk0' then error
dest_end=dest+read_bits(32) ;size of decompressed data (of all strips)
method=read_bits(8), if method>1 then error
tree_index=0, read_huffman_tree, disproot=tree_index
tree_index=tree_index+1, read_huffman_tree, lenroot=tree_index
;above stuff is contained only in the first strip. below loop starts at
;current location in first strip, and does then continue in further strips.
decompress_loop:
if read_bits(1)=0 then ;copy one uncompressed data byte,
[dest]=read_bits(8), dest=dest+1 ;does work without huffman trees
else
if disproot=-1 or lenroot=-1 then error ;compression does require trees
disp=read_tree(disproot)
if method=1 ;disp*4 is good for 32bit ARM opcodes
if disp>2 then disp=disp*4-8 else disp=disp+4*read_tree(disproot)-7
len=read_tree(lenroot)
if len=0 or disp<=0 or dest+len-1>dest_end then error ;whoops
for j=1 to len, [dest]=[dest-disp], dest=dest+1, next j
if dest<dest_end then decompress_loop
ret
|
mov data=0
for i=1 to num
shl collected32bit,1 ;move next bit to carry, or set zeroflag if empty
if zeroflag
collected32bit=[src+0]*1000000h+[src+1]*10000h+[src+2]*100h+[src+3]
src=src+4 ;read data in 32bit units, in reversed byte-order
carryflag=1 ;endbit
rcl collected32bit,1 ;move bit31 to carry (and endbit to bit0)
rcl data,1 ;move carry to data
next i
ret(data)
|
i=root_index
while node[i].right<>-1 ;loop until reaching data node
if read_bits(1)=1 then i=node[i].right else i=node[i].left
i=node[i].left ;get number of bits
i=read_bits(i) ;read that number of bits
ret(i) ;return that value
|
stacktop=sp if read_bits(1)=1 then tree_index=-1, ret ;exit (empty) node[tree_index].right=-1 ;indicate data node node[tree_index].left=read_bits(8) ;store data value if read_bits(1)=1 then ret ;exit (only 1 data node at root) push tree_index ;save previous (child) node tree_index=tree_index+1 jmp data_injump load_loop: push tree_index ;save previous (child) node tree_index=tree_index+1 if read_bits(1)=1 then parent_node data_injump: node[tree_index].right=-1 ;indicate data node node[tree_index].left=read_bits(8) ;store data value jmp load_loop parent_node: pop node[tree_index].right ;store 1st child pop node[tree_index].left ;store 2nd child if sp<>stacktop then jmp load_loop if read_bits(1)=0 then error ;end bit (must be 1) ret |
| GBA Cart e-Reader Error Correction |
reverse_byte_order(data,dtalen)
zerofill_error_bytes(data,errlen)
for i=dtalen-1 to errlen ;loop accross data portion
z = rev[ data[i] xor data[errlen-1] ] ;
for j=errlen-1 to 0 ;loop accross error-info portion
if j=0 then x=00h else x=data[j-1]
if z<>FFh then
y=gg[j], if y<>FFh then
y=y+z, if y>=FFh then y=y-FFh
x=x xor pow[y]
data[j]=x
next j
next i
invert_error_bytes(data,errlen)
reverse_byte_order(data,dtalen)
|
reverse_byte_order(data,dtalen)
invert_error_bytes(data,errlen)
make_rev(data,dtalen)
for i=78h to 78h+errlen-1
x=0, z=0
for j=0 to dtalen-1
y=data[j]
if y<>FFh then
y=y+z, if y>=FFh then y=y-FFh
x=x xor pow[y]
z=z+i, if z>=FFh then z=z-FFh
next j
if x<>0 then error
next i
;(if errors occured, could correct them now)
make_pow(data,dtalen)
invert_error_bytes(data,errlen)
reverse_byte_order(data,dtalen)
|
for i=0 to len-1, data[i]=rev[data[i]], next i |
for i=0 to len-1, data[i]=pow[data[i]], next i |
for i=0 to len-1, data[i]=data[i] xor FFh, next i |
for i=0 to len-1, data[i]=00h, next i |
for i=0 to (len-1)/2, x=data[i], data[i]=data[len-i], data[len-i]=x, next i |
x=01h, pow[FFh]=00h, rev[00h]=FFh
for i=00h to FEh
pow[i]=x, rev[x]=i, x=x*2, if x>=100h then x=x xor 187h
next i
|
gg[0]=pow[78h]
for i=1 to errlen-1
gg[i]=01h
for j=i downto 0
if j=0 then y=00h else y=gg[j-1]
x=gg[j], if x<>00h then
x=rev[x]+78h+i, if x>=FFh then x=x-FFh
y=y xor pow[x]
gg[j]=y
next j
next i
make_rev(gg,errlen)
|
00h,4Bh,EBh,D5h,EFh,4Ch,71h,00h,F4h,00h,71h,4Ch,EFh,D5h,EBh,4Bh |
pow = alpha_to, but generated as shown above rev = index_of, dito b0 = 78h nn = dtalen kk = dtalen-errlen %nn = MOD FFh (for the ereader that isn't MOD dtalen) -1 = FFh |
| GBA Cart e-Reader File Formats |
| GBA Cart Unknown Devices |
| GBA Flashcards |
configure_flashcard(9E2468Ah,9413h) ;unlock flash advance cards turbo=1, send_command(8000000h,90h) ;enter ID mode (both chips, if any) maker=[8000000h], device=[8000000h+2] IF maker=device THEN device=[8000000h+4] ELSE turbo=0 flashcard_read_mode ;exit ID mode search (maker+device*10000h) in device_list total/erase/write_block_size = list_entry SHL turbo |
FOR x=1 to len/erase_block_size send_command(dest,20h) ;erase sector command send_command(dest,D0h) ;confirm erase sector dest=dest+erase_block_size IF wait_busy=okay THEN NEXT x enter_read_mode ;exit erase/status mode |
siz=write_block_size FOR x=1 to len/siz IF siz=2 THEN send_command(dest,10h) ;write halfword command IF siz>2 THEN send_command(dest,E8h) ;write to buffer command IF siz>2 THEN send_command(dest,16-1) ;buffer size 16 halfwords (per chip) FOR y=1 TO siz/2 [dest]=[src], dest=dest+2, src=src+2 ;write data to buffer NEXT y IF siz>2 THEN send_command(dest,D0h) ;confirm write to buffer IF wait_busy=okay THEN NEXT x enter_read_mode ;exit write/status mode |
[adr]=val IF turbo THEN [adr+2]=val |
send_command(8000000h,FFh) ;exit status mode send_command(8000000h,FFh) ;again maybe more stable (as in jeff's source) |
start=time REPEAT stat=[8000000h] XOR 80h IF turbo THEN stat=stat OR ([8000000h+2] XOR 80h) IF (stat AND 7Fh)>0 THEN error IF (stat AND 80h)=0 THEN ready IF time-start>5secs THEN timeout UNTIL ready OR error OR timeout IF error OR timeout THEN send_command(8000000h,50h) ;clear status |
[930ECA8h]=5354h [802468Ah]=1234h, repeated 500 times [800ECA8h]=5354h [802468Ah]=5354h [802468Ah]=5678h, repeated 500 times [930ECA8h]=5354h [802468Ah]=5354h [8ECA800h]=5678h [80268A0h]=1234h [802468Ah]=ABCDh, repeated 500 times [930ECA8h]=5354h [adr]=val |
configure_flashcard(942468Ah,???) |
ID Code Total Erase Write Name -??-00DCh ? ? ? Hudson Cart (???) 00160089h 4M 128K 32 Intel i28F320J3A (Flash Advance) 00170089h 8M 128K 32 Intel i28F640J3A (Flash Advance) 00180089h 16M 128K 32 Intel i28F128J3A (Flash Advance) 00E200B0h ? 64K 2 Sharp LH28F320BJE ? (Nintendo) |
| GBA Cheat Devices |
| GBA Cheat Codes - General Info |
| GBA Cheat Codes - Codebreaker/Xploder |
0000xxxx 000y Enable Code 1 - Game ID 1aaaaaaa 000z Enable Code 2 - Hook Address 2aaaaaaa yyyy [aaaaaaa]=[aaaaaaa] OR yyyy 3aaaaaaa 00yy [aaaaaaa]=yy 4aaaaaaa yyyy [aaaaaaa+0..(cccc-1)*ssss]=yyyy+0..(cccc-1)*ssss iiiicccc ssss parameters for above code 5aaaaaaa cccc [aaaaaaa+0..(cccc-1)]=11,22,33,44,etc. 11223344 5566 parameter bytes 1..6 for above code (example) 77880000 0000 parameter bytes 7..8 for above code (padded with zero) 6aaaaaaa yyyy [aaaaaaa]=[aaaaaaa] AND yyyy 7aaaaaaa yyyy IF [aaaaaaa]=yyyy THEN (next code) 8aaaaaaa yyyy [aaaaaaa]=yyyy 9xyyxxxx xxxx Enable Code 0 - Encrypt all following codes (optional) Aaaaaaaa yyyy IF [aaaaaaa]<>yyyy THEN (next code) Baaaaaaa yyyy IF [aaaaaaa]>yyyy THEN (next code) (signed comparison) Caaaaaaa yyyy IF [aaaaaaa]<yyyy THEN (next code) (signed comparison) D0000020 yyyy IF [joypad] AND yyyy = 0 THEN (next code) Eaaaaaaa yyyy [aaaaaaa]=[aaaaaaa]+yyyy Faaaaaaa yyyy IF [aaaaaaa] AND yyyy THEN (next code) |
crc=FFFFh for i=0 to FFFFh x=byte[i] xor (crc/100h) x=x xor (x/10h) crc=(crc*100h) xor (x*1001h) xor (x*20h) next i |
for i=0 to 2Fh, swaplist[i]=i, next i
randomizer = 1111h xor byte[code+4] ;LSB value
for i=0 to 4Fh
exchange swaplist[random MOD 30h] with swaplist[random MOD 30h]
next i
halfword[seedlist+0] = halfword[code+0] ;LSW address
randomizer = 4EFAD1C3h
for i=0 to byte[code+3]-91h, randomizer=random, next i ;MSB address
word[seedlist+2]=random, halfword[seedlist+6]=random
randomizer = F254h xor byte[code+5] ;MSB value
for i=0 to byte[code+5]-01h, randomizer=random, next i ;MSB value
word[seedlist+8]=random, halfword[seedlist+12]=random
;note: byte[code+2] = don't care
ret
|
randomizer=randomizer*41C64E6Dh+3039h, x=(randomizer SHL 14 AND C0000000h) randomizer=randomizer*41C64E6Dh+3039h, x=(randomizer SHR 1 AND 3FFF8000h)+x randomizer=randomizer*41C64E6Dh+3039h, x=(randomizer SHR 16 AND 00007FFFh)+x return(x) |
for i=2Fh to 0
j=swaplist[i]
bitno1=(i AND 7), index1=xlatlist[i/8]
bitno2=(j AND 7), index2=xlatlist[j/8]
exchange [code+index1].bitno1 with [code+index2].bitno2
next i
word[code+0] = word[code+0] xor word[seedlist+8]
i = (byte[code+3]*1010000h + byte[code+0]*100h + byte[code+5])
i = (halfword[code+1]*10001h) xor (word[seedlist+2]) xor i
i = (byte[seedlist+0]*1010101h) xor (byte[seedlist+1]*1000000h) xor i
j = (byte[code+5] + (byte[code+0] xor byte[code+4])*100h)
j = (byte[seedlist+0]*101h) xor halfword[seedlist+6] xor j
word[code+0] = i, halfword[code+4] = j
|
| GBA Cheat Codes - Gameshark/Action Replay V1/V2 |
0aaaaaaa 000000xx [aaaaaaa]=xx 1aaaaaaa 0000xxxx [aaaaaaa]=xxxx 2aaaaaaa xxxxxxxx [aaaaaaa]=xxxxxxxx 3000cccc xxxxxxxx write xxxxxxxx to (cccc-1) addresses (list in next codes) aaaaaaaa aaaaaaaa parameter for above code, containing two addresses each aaaaaaaa 00000000 last parameter for above, zero-padded if only one address 60aaaaaa y000xxxx [8000000h+aaaaaa*2]=xxxx (ROM Patch) 8a1aaaaa 000000xx IF GS_Button_Down THEN [a0aaaaa]=xx 8a2aaaaa 0000xxxx IF GS_Button_Down THEN [a0aaaaa]=xxxx 80F00000 0000xxxx IF GS_Button_Down THEN slowdown xxxx * ??? cycles per hook Daaaaaaa 0000xxxx IF [aaaaaaa]=xxxx THEN (next code) E0zzxxxx 0aaaaaaa IF [aaaaaaa]=xxxx THEN (next 'zz' codes) Faaaaaaa 00000x0y Enable Code - Hook Routine xxxxxxxx 001DC0DE Enable Code - Game Code ID (value at [0ACh] in cartridge) DEADFACE 0000xxyy Change Encryption Seeds |
y=1 - Executes code handler without backing up the LR register. y=2 - Executes code handler and backs up the LR register. y=3 - Replaces a 32-bit pointer used for long-branches. x=0 - Must turn GSA off before loading game. x=1 - Must not do that. |
y=0 wait for the code handler to enable the patch y=1 patch is enabled before the game starts y=2 unknown ??? |
FOR I=1 TO 32
A=A + (V*16+S0) XOR (V+I*9E3779B9h) XOR (V/32+S1)
V=V + (A*16+S2) XOR (A+I*9E3779B9h) XOR (A/32+S3)
NEXT I
|
S0=09F4FBBDh S1=9681884Ah S2=352027E9h S3=F3DEE5A7h |
FOR y=0 TO 3
FOR x=0 TO 3
z = T1[(xx+x) AND FFh] + T2[(yy+y) AND FFh]
Sy = Sy*100h + (z AND FFh)
NEXT x
NEXT y
|
| GBA Cheat Codes - Pro Action Replay V3 |
C4aaaaaa 0000yyyy Enable Code - Hook Routine at [8aaaaaa] xxxxxxxx 001DC0DE Enable Code - ID Code [080000AC] DEADFACE 0000xxxx Enable Code - Change Encryption Seeds 00aaaaaa xxxxxxyy [a0aaaaa..a0aaaaa+xxxxxx]=yy 02aaaaaa xxxxyyyy [a0aaaaa..a0aaaaa+xxxx*2]=yyyy 04aaaaaa yyyyyyyy [a0aaaaa]=yyyyyyyy 40aaaaaa xxxxxxyy [ [a0aaaaa] + xxxxxx ]=yy (Indirect) 42aaaaaa xxxxyyyy [ [a0aaaaa] + xxxx*2 ]=yyyy (Indirect) 44aaaaaa yyyyyyyy [ [a0aaaaa] ]=yyyyyyyy (Indirect) 80aaaaaa 000000yy [a0aaaaa]=[a0aaaaa]+yy 82aaaaaa 0000yyyy [a0aaaaa]=[a0aaaaa]+yyyy 84aaaaaa yyyyyyyy [a0aaaaa]=[a0aaaaa]+yyyyyyyy C6aaaaaa 0000yyyy [4aaaaaa]=yyyy (I/O Area) C7aaaaaa yyyyyyyy [4aaaaaa]=yyyyyyyy (I/O Area) iiaaaaaa yyyyyyyy IF [a0aaaaa] <cond> <value> THEN <action> 00000000 60000000 ELSE (?) 00000000 40000000 ENDIF (?) 00000000 0800xx00 AR Slowdown : loops the AR xx times 00000000 00000000 End of the code list 00000000 10aaaaaa 000000zz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zz 00000000 12aaaaaa 0000zzzz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zzzz 00000000 14aaaaaa zzzzzzzz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zzzzzzzz 00000000 18aaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 1) 00000000 1Aaaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 2) 00000000 1Caaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 3) 00000000 1Eaaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 4) |
00000000 80aaaaaa 000000yy ssccssss repeat cc times [a0aaaaa]=yy (with yy=yy+ss, a0aaaaa=a0aaaaa+ssss after each step) |
00000000 82aaaaaa 0000yyyy ssccssss repeat cc times [a0aaaaa]=yyyy (with yyyy=yyyy+ss, a0aaaaa=a0aaaaa+ssss*2 after each step) |
00000000 84aaaaaa yyyyyyyy ssccssss repeat cc times [a0aaaaa]=yyyyyyyy (with yyyy=yyyy+ss, a0aaaaa=a0aaaaa+ssss*4 after each step) |
<cond> <value> <action> 08 Equal = 00 8bit zz 00 execute next code 10 Not equal <> 02 16bit zzzz 40 execute next two codes 18 Signed < 04 32bit zzzzzzzz 80 execute all following 20 Signed > 06 (always false) codes until ELSE or ENDIF 28 Unsigned < C0 normal ELSE turn off all codes 30 Unsigned > 38 Logical AND |
For the "Always..." codes: - XXXXXXXX can be any authorised address except 00000000 (eg. use 02000000). - ZZZZZZZZ can be anything. - The "y" in the code data must be in the [1-7] range (which means not 0). typ=y,sub=0,siz=3 Always skip next line. typ=y,sub=1,siz=3 Always skip next 2 lines. typ=y,sub=2,siz=3 Always Stops executing all the codes below. typ=y,sub=3,siz=3 Always turn off all codes. |
adr mask = 003FFFFF n/a mask = 00C00000 ;not used xtr mask = 01000000 ;used only by I/O write, and MSB of Hook siz mask = 06000000 typ mask = 38000000 ;0=normal, other=conditional sub mask = C0000000 |
S0=7AA9648Fh S1=7FAE6994h S2=C0EFAAD5h S3=42712C57h |
| GBA Gameboy Player |
| BIOS Functions |
| BIOS Function Summary |
GBA NDS7 NDS9 Function 00h 00h 00h SoftReset 01h - - RegisterRamReset 02h 06h 06h Halt 03h 07h - Stop/Sleep 04h 04h 04h IntrWait 05h 05h 05h VBlankIntrWait 06h 09h 09h Div 07h - - DivArm 08h 0Dh 0Dh Sqrt 09h - - ArcTan 0Ah - - ArcTan2 0Bh 0Bh 0Bh CpuSet 0Ch 0Ch 0Ch CpuFastSet 0Dh - - GetBiosChecksum 0Eh - - BgAffineSet 0Fh - - ObjAffineSet 10h 10h 10h BitUnPack 11h 11h 11h LZ77UnCompWram 12h 12h 12h LZ77UnCompVram 13h 13h 13h HuffUnComp 14h 14h 14h RLUnCompWram 15h 15h 15h RLUnCompVram 16h - 16h Diff8bitUnFilterWram 17h - - Diff8bitUnFilterVram 18h - 18h Diff16bitUnFilter 19h 08h - SoundBias 1Ah - - SoundDriverInit 1Bh - - SoundDriverMode 1Ch - - SoundDriverMain 1Dh - - SoundDriverVSync 1Eh - - SoundChannelClear 1Fh - - MidiKey2Freq 20h - - SoundWhatever0 21h - - SoundWhatever1 22h - - SoundWhatever2 23h - - SoundWhatever3 24h - - SoundWhatever4 25h - - MultiBoot 26h - - HardReset 27h 1Fh - CustomHalt 28h - - SoundDriverVSyncOff 29h - - SoundDriverVSyncOn 2Ah - - SoundGetJumpList - 03h 03h WaitByLoop - 0Eh 0Eh GetCRC16 - 0Fh 0Fh IsDebugger - 1Ah - GetSineTable - 1Bh - GetPitchTable - 1Ch - GetVolumeTable - 1Dh - GetBootProcs - - 1Fh CustomPost |
| BIOS Differences between GBA and NDS functions |
| BIOS Arithmetic Functions |
r0 signed 32bit Number r1 signed 32bit Denom |
r0 Number DIV Denom ;signed r1 Number MOD Denom ;signed r3 ABS (Number DIV Denom) ;unsigned |
r0 unsigned 32bit number |
r0 unsigned 16bit number |
r0 Tan, 16bit (1bit sign, 1bit integral part, 14bit decimal part) |
r0 "-PI/2<THETA/<PI/2" in a range of C000h-4000h. |
r0 X, 16bit (1bit sign, 1bit integral part, 14bit decimal part) r1 Y, 16bit (1bit sign, 1bit integral part, 14bit decimal part) |
r0 0000h-FFFFh for 0<=THETA<2PI. |
| BIOS Rotation/Scaling Functions |
r0 Pointer to Source Data Field with entries as follows:
s32 Original data's center X coordinate (8bit fractional portion)
s32 Original data's center Y coordinate (8bit fractional portion)
s16 Display's center X coordinate
s16 Display's center Y coordinate
s16 Scaling ratio in X direction (8bit fractional portion)
s16 Scaling ratio in Y direction (8bit fractional portion)
u16 Angle of rotation (8bit fractional portion) Effective Range 0-FFFF
r1 Pointer to Destination Data Field with entries as follows:
s16 Difference in X coordinate along same line
s16 Difference in X coordinate along next line
s16 Difference in Y coordinate along same line
s16 Difference in Y coordinate along next line
s32 Start X coordinate
s32 Start Y coordinate
r2 Number of Calculations
|
r0 Source Address, pointing to data structure as such:
s16 Scaling ratio in X direction (8bit fractional portion)
s16 Scaling ratio in Y direction (8bit fractional portion)
u16 Angle of rotation (8bit fractional portion) Effective Range 0-FFFF
r1 Destination Address, pointing to data structure as such:
s16 Difference in X coordinate along same line
s16 Difference in X coordinate along next line
s16 Difference in Y coordinate along same line
s16 Difference in Y coordinate along next line
r2 Number of calculations
r3 Offset in bytes for parameter addresses (2=continuous, 8=OAM)
|
| BIOS Decompression Functions |
r0 Source Address (no alignment required)
r1 Destination Address (must be 32bit-word aligned)
r2 Pointer to UnPack information:
16bit Length of Source Data in bytes (0-FFFFh)
8bit Width of Source Units in bits (only 1,2,4,8 supported)
8bit Width of Destination Units in bits (only 1,2,4,8,16,32 supported)
32bit Data Offset (Bit 0-30), and Zero Data Flag (Bit 31)
The Data Offset is always added to all non-zero source units.
If the Zero Data Flag was set, it is also added to zero units.
|
unfiltered: 10 11 12 13 14 15 16 17 18 19 filtered: 10 +1 +1 +1 +1 +1 +1 +1 +1 +1 |
r0 Source address (must be aligned by 4) pointing to data as follows:
Data Header (32bit)
Bit 0-3 Data size (must be 1 for Diff8bit, 2 for Diff16bit)
Bit 4-7 Type (must be 8 for DiffFiltered)
Bit 8-31 24bit size after decompression
Data Units (each 8bit or 16bit depending on used SWI function)
Data0 ;original data
Data1-Data0 ;difference data
Data2-Data1 ;...
Data3-Data2
...
r1 Destination address
|
r0 Source Address, aligned by 4, pointing to:
Data Header (32bit)
Bit0-3 Data size in bit units (normally 4 or 8)
Bit4-7 Compressed type (must be 2 for Huffman)
Bit8-31 24bit size of decompressed data in bytes
Tree Size (8bit)
Bit0-7 Size of Tree Table/2-1 (ie. Offset to Compressed Bitstream)
Tree Table (list of 8bit nodes, starting with the root node)
Root Node and Non-Data-Child Nodes are:
Bit0-5 Offset to next child node,
Next child node0 is at (CurrentAddr AND NOT 1)+Offset*2+2
Next child node1 is at (CurrentAddr AND NOT 1)+Offset*2+2+1
Bit6 Node1 End Flag (1=Next child node is data)
Bit7 Node0 End Flag (1=Next child node is data)
Data nodes are (when End Flag was set in parent node):
Bit0-7 Data (upper bits should be zero if Data Size is less than 8)
Compressed Bitstream (stored in units of 32bits)
Bit0-31 Node Bits (Bit31=First Bit) (0=Node0, 1=Node1)
r1 Destination Address
r2 Callback parameter (NDS SWI 13h only, see Callback notes below)
r3 Callback structure (NDS SWI 13h only, see Callback notes below)
|
lea ebx,[esi+1] ;\ mov @@root,ebx ; init source pointers movzx eax,byte ptr ds:[esi] ; lea esi,[esi+eax*2+2] ;/ mov edx,80000000h ;stop-bit |
mov dword ptr [@@data],0 mov byte ptr [@@cnt],-32 ;--- bit loop --- |
mov al,byte ptr ds:[ebx] ;\ mov ch,al ;bit6,bit7 ; get node entry (offset/flags) and eax,0000003fh ;offset ;/ and ebx,not 1 ;addr AND not 1;-align curr addr (for below offset) lea ebx,[ebx+eax*2+2] ;-and add offset to node0 (node1 if at addr+1) add edx,edx ;=cy ;\ jz @@collect_bits ; get next bit to carry |
jnc short @@node0 ;\ inc ebx ;addr+1 ; node0 or node1 add ch,ch ;bit6 to bit7 ; |
add ch,ch ;bit7 to cy ;\check if next node is data jnc short @@lop ;next child ;/ ;--- data node --- mov al,byte ptr ds:[ebx] ;\ |
or byte ptr [@@data],al ; ror dword ptr [@@data],cl ;/ mov ebx,@@root ;-back to root node add byte ptr [@@cnt],cl ;\check if collected 32bit data js short @@lop ;/which would be to be stored in RAM now mov eax,dword ptr [@@data] ;\ stosd ; store data, check if done sub @@len,4 ; ja short @@data_lop ;/ |
ret |
lodsd ;cy=same (!) adc eax,eax ;bit31 to cy, and bit0=1 (=incoming cy=stop-bit) mov edx,eax jmp short @@collect_back ;out: cy |
r0 Source address, pointing to data as such:
Data header (32bit)
Bit 0-3 Reserved
Bit 4-7 Compressed type (must be 1 for LZ77)
Bit 8-31 Size of decompressed data
Repeat below. Each Flag Byte followed by eight Blocks.
Flag data (8bit)
Bit 0-7 Type Flags for next 8 Blocks, MSB first
Block Type 0 - Uncompressed - Copy 1 Byte from Source to Dest
Bit 0-7 One data byte to be copied to dest
Block Type 1 - Compressed - Copy N+3 Bytes from Dest-Disp-1 to Dest
Bit 0-3 Disp MSBs
Bit 4-7 Number of bytes to copy (minus 3)
Bit 8-15 Disp LSBs
r1 Destination address
r2 Callback parameter (NDS SWI 12h only, see Callback notes below)
r3 Callback structure (NDS SWI 12h only, see Callback notes below)
|
r0 Source Address, pointing to data as such:
Data header (32bit)
Bit 0-3 Reserved
Bit 4-7 Compressed type (must be 3 for run-length)
Bit 8-31 Size of decompressed data
Repeat below. Each Flag Byte followed by one or more Data Bytes.
Flag data (8bit)
Bit 0-6 Expanded Data Length (uncompressed N-1, compressed N-3)
Bit 7 Flag (0=uncompressed, 1=compressed)
Data Byte(s) - N uncompressed bytes, or 1 byte repeated N times
r1 Destination Address
r2 Callback parameter (NDS SWI 15h only, see Callback notes below)
r3 Callback structure (NDS SWI 15h only, see Callback notes below)
|
r2 = user defined callback parameter (passed on to Open function) r3 = pointer to callback structure |
Open_and_get_32bit (eg. LDR r0,[r0], get header) Close (optional, 0=none) Get_8bit (eg. LDRB r0,[r0]) Get_16bit (not used) Get_32bit (used by Huffman only) |
| BIOS Memory Copy |
r0 Source address (must be aligned by 4)
r1 Destination address (must be aligned by 4)
r2 Length/Mode
Bit 0-20 Wordcount (GBA: must be a multiple of 8 words)
Bit 24 Fixed Source Address (0=Copy, 1=Fill by WORD[r0])
|
r0 Source address (must be aligned by 4 for 32bit, by 2 for 16bit)
r1 Destination address (must be aligned by 4 for 32bit, by 2 for 16bit)
r2 Length/Mode
Bit 0-20 Wordcount (for 32bit), or Halfwordcount (for 16bit)
Bit 24 Fixed Source Address (0=Copy, 1=Fill by {HALF}WORD[r0])
Bit 26 Datasize (0=16bit, 1=32bit)
|
| BIOS Halt Functions |
r0 0=Return immediately if an old flag was already set (NDS9: bugged!)
1=Discard old flags, wait until a NEW flag becomes set
r1 Interrupt flag(s) to wait for (same format as IE/IF registers)
|
Host GBA (16bit) NDS7 (32bit) NDS9 (32bit) Address [3007FF8h] [380FFF8h] [DTCM+3FF8h] |
r2 8bit parameter (GBA: 00h=Halt, 80h=Stop) (NDS7: 80h=Halt, C0h=Sleep) |
| BIOS Reset Functions |
Host sp_svc sp_irq sp_sys zerofilled area return address GBA 3007FE0h 3007FA0h 3007F00h [3007E00h..3007FFFh] Flag[3007FFAh] NDS7 380FFDCh 380FFB0h 380FF00h [380FE00h..380FFFFh] Addr[27FFE34h] NDS9 0803FC0h 0803FA0h 0803EC0h [DTCM+3E00h..3FFFh] Addr[27FFE24h] |
r0 ResetFlags
Bit Expl.
0 Clear 256K on-board WRAM ;-don't use when returning to WRAM
1 Clear 32K in-chip WRAM ;-excluding last 200h bytes
2 Clear Palette
3 Clear VRAM
4 Clear OAM ;-zerofilled! does NOT disable OBJs!
5 Reset SIO registers ;-switches to general purpose mode!
6 Reset Sound registers
7 Reset all other registers (except SIO, Sound)
|
| BIOS Misc Functions |
r0 Delay value (should be in range 1..7FFFFFFFh) |
r0 Initial CRC value (16bit, usually FFFFh) r1 Start Address (must be aligned by 2) r2 Length in bytes (must be aligned by 2) |
val[0..7] = C0C1h,C181h,C301h,C601h,CC01h,D801h,F001h,A001h
for i=start to end
crc=crc xor byte[i]
for j=0 to 7
crc=crc shr 1:if carry then crc=crc xor (val[j] shl (7-j))
next j
next i
|
r0 Calculated 16bit CRC Value |
r0 Index (0..3Fh) (must be in that range, otherwise returns garbage) |
r0 Index (0..2FFh) (must be in that range, otherwise returns garbage) |
r0 Index (0..2D3h) (must be in that range, otherwise returns garbage) |
r0 32bit value, to be written to POSTFLG, Port 4000300h |
| BIOS Multi Boot (Single Game Pak) |
r0 Pointer to MultiBootParam structure
r1 Transfer Mode (undocumented)
0=256KHz, 32bit, Normal mode (fast and stable)
1=115KHz, 16bit, MultiPlay mode (default, slow, up to three slaves)
2=2MHz, 32bit, Normal mode (fastest but maybe unstable)
Note: HLL-programmers that are using the MultiBoot(param_ptr) macro cannot
specify the transfer mode and will be forcefully using MultiPlay mode.
|
r0 0=okay, 1=failed |
Addr Size Name/Expl. 14h 1 handshake_data (entry used for normal mode only) 19h 3 client_data[1,2,3] 1Ch 1 palette_data 1Eh 1 client_bit (Bit 1-3 set if child 1-3 detected) 20h 4 boot_srcp (typically 8000000h+0C0h) 24h 4 boot_endp (typically 8000000h+0C0h+length) |
Times Send Receive Expl. -----------------------Required Transfer Initiation in master program ... 6200 FFFF Slave not in multiplay/normal mode yet 1 6200 0000 Slave entered correct mode now 15 6200 720x Repeat 15 times, if failed: delay 1/16s and restart 1 610y 720x Recognition okay, exchange master/slave info 60h xxxx NN0x Transfer C0h bytes header data in units of 16bits 1 6200 000x Transfer of header data completed 1 620y 720x Exchange master/slave info again ... 63pp 720x Wait until all slaves reply 73cc instead 720x 1 63pp 73cc Send palette_data and receive client_data[1-3] 1 64hh 73uu Send handshake_data for final transfer completion -----------------------Below is SWI 25h MultiBoot handler in BIOS DELAY - - Wait 1/16 seconds at master side 1 llll 73rr Send length information and receive random data[1-3] LEN yyyy nnnn Transfer main data block in units of 16 or 32 bits 1 0065 nnnn Transfer of main data block completed, request CRC ... 0065 0074 Wait until all slaves reply 0075 instead 0074 1 0065 0075 All slaves ready for CRC transfer 1 0066 0075 Signalize that transfer of CRC follows 1 zzzz zzzz Exchange CRC must be same for master and slaves -----------------------Optional Handshake (NOT part of master/slave BIOS) ... .... .... Exchange whatever custom data |
y client_bit, bit(s) 1-3 set if slave(s) 1-3 detected x bit 1,2,or 3 set if slave 1,2,or 3 xxxx header data, transferred in 16bit (!) units (even in 32bit normal mode) nn response value for header transfer, decreasing 60h..01h pp palette_data cc random client_data[1..3] from slave 1-3, FFh if slave not exists hh handshake_data, 11h+client_data[1]+client_data[2]+client_data[3] uu random data, not used, ignore this value |
llll download length/4-34h rr random data from each slave for encryption, FFh if slave not exists yyyy encoded data in 16bit (multiplay) or 32bit (normal mode) units nnnn response value, lower 16bit of destadr in GBA memory (00C0h and up) zzzz 16bit download CRC value, must be same for master and slaves |
if normal_mode then c=C387h:x=C37Bh:k=43202F2Fh
if multiplay_mode then c=FFF8h:x=A517h:k=6465646Fh
m=dword(pp,cc,cc,cc):f=dword(hh,rr,rr,rr)
for ptr=000000C0h to (file_size-4) step 4
c=c xor data[ptr]:for i=1 to 32:c=c shr 1:if carry then c=c xor x:next
m=(6F646573h*m)+1
send_32_or_2x16 (data[ptr] xor (-2000000h-ptr) xor m xor k)
next
c=c xor f:for i=1 to 32:c=c shr 1:if carry then c=c xor x:next
wait_all_units_ready_for_checksum:send_32_or_1x16 (c)
|
| BIOS Sound Functions |
r0 WaveData* wa r1 u8 mk r2 u8 fp |
r0 u32 |
r0 BIAS level (0=Level 000h, any other value=Level 200h) r1 Delay Count (NDS only) (GBA uses a fixed delay count of 8) |
r0 Pointer to work area for sound driver, SoundArea structure as follows:
SoundArea (sa) Structure
u32 ident Flag the system checks to see whether the
work area has been initialized and whether it
is currently being accessed.
vu8 DmaCount User access prohibited
u8 reverb Variable for applying reverb effects to direct sound
u16 d1 User access prohibited
void (*func)() User access prohibited
int intp User access prohibited
void* NoUse User access prohibited
SndCh vchn[MAX] The structure array for controlling the direct
sound channels (currently 8 channels are
available). The term "channel" here does
not refer to hardware channels, but rather to
virtual constructs inside the sound driver.
s8 pcmbuf[PCM_BF*2]
SoundChannel Structure
u8 sf The flag indicating the status of this channel.
When 0 sound is stopped.
To start sound, set other parameters and
then write 80h to here.
To stop sound, logical OR 40h for a
release-attached off (key-off), or write zero
for a pause. The use of other bits is
prohibited.
u8 r1 User access prohibited
u8 rv Sound volume output to right side
u8 lv Sound volume output to left side
u8 at The attack value of the envelope. When the
sound starts, the volume begins at zero and
increases every 1/60 second. When it
reaches 255, the process moves on to the
next decay value.
u8 de The decay value of the envelope. It is
multiplied by "this value/256" every 1/60
sec. and when sustain value is reached, the
process moves to the sustain condition.
u8 su The sustain value of the envelope. The
sound is sustained by this amount.
(Actually, multiplied by rv/256, lv/256 and
output left and right.)
u8 re The release value of the envelope. Key-off
(logical OR 40h in sf) to enter this state.
The value is multiplied by "this value/256"
every 1/60 sec. and when it reaches zero,
this channel is completely stopped.
u8 r2[4] User access prohibited
u32 fr The frequency of the produced sound.
Write the value obtained with the
MidiKey2Freq function here.
WaveData* wp Pointer to the sound's waveform data. The waveform
data can be generated automatically from the AIFF
file using the tool (aif2agb.exe), so users normally
do not need to create this themselves.
u32 r3[6] User access prohibited
u8 r4[4] User access prohibited
WaveData Structure
u16 type Indicates the data type. This is currently not used.
u16 stat At the present time, non-looped (1 shot) waveform
is 0000h and forward loop is 4000h.
u32 freq This value is used to calculate the frequency.
It is obtained using the following formula:
sampling rate x 2^((180-original MIDI key)/12)
u32 loop Loop pointer (start of loop)
u32 size Number of samples (end position)
s8 data[] The actual waveform data. Takes (number of samples+1)
bytes of 8bit signed linear uncompressed data. The last
byte is zero for a non-looped waveform, and the same
value as the loop pointer data for a looped waveform.
|
r0 Sound driver operation mode
Bit Expl.
0-6 Direct Sound Reverb value (0-127, default=0) (ignored if Bit7=0)
7 Direct Sound Reverb set (0=ignore, 1=apply reverb value)
8-11 Direct Sound Simultaneously-produced (1-12 channels, default 8)
12-15 Direct Sound Master volume (1-15, default 15)
16-19 Direct Sound Playback Frequency (1-12 = 5734,7884,10512,13379,
15768,18157,21024,26758,31536,36314,40137,42048, def 4=13379 Hz)
20-23 Final number of D/A converter bits (8-11 = 9-6bits, def. 9=8bits)
24-31 Not used.
|
r0 Destination address (must be aligned by 4) (120h bytes buffer) |
| Unpredictable Things |
| External Connectors |
| AUX GBA Game Pak Bus |
Pin Name Dir Expl. 1 VDD O Power Supply 3.3V DC 2 PHI O System Clock (selectable none, 4.19MHz, 8.38MHz, 16.78MHz) 3 /WR O Write Select ;\latched address to be incremented on 4 /RD O Read Select ;/rising edges of /RD or /WR signals 5 /CS O ROM Chip Select ;-A0..A15 to be latched on falling edge 6-21 AD0-15 I/O lower 16bit Address and/or 16bit ROM-data (see below) 22-29 A16-23 I/O upper 8bit ROM-Address or 8bit SRAM-data (see below) 30 /CS2 O SRAM Chip Select 31 /REQ I Interrupt request (/IREQ) or DMA request (/DREQ) 32 GND O Ground 0V |
| AUX DS Game Card Slot |
Pin Dir Name Connection in cartridge 1 > - GND (ROM all unused Pins, EEPROM Pin 4 = VSS) 2 Out CLK (4MB/s, ROM Pin 5, EEPROM Pin 6 = CLK) 3 N ? ? (ROM Pin 17) (Seems to be not connected in console) 4 i Out /CS1 (ROM Pin 44) ROM Chipselect 5 n Out /RES (ROM Pin 42) Reset, switches ROM to unencrypted mode 6 t Out /CS2 (EPROM Pin 1) EEPROM Chipselect 7 e In IRQ (GND) 8 n - 3.3V (ROM Pins 2, 23, EEPROM Pins 3,7,8 = /W,/HOLD,VCC) 9 d I/O D0 (ROM Pin 18) 10 o I/O D1 (ROM Pin 19) 11 I/O D2 (ROM Pin 20) 12 C I/O D3 (ROM Pin 21) 13 0 I/O D4 (ROM Pin 24) 14 1 I/O D5 (ROM Pin 25) 15 - I/O D6 (ROM Pin 26, EEPROM Pin 2 = Q = Data EEPROM to NDS) 16 0 I/O D7 (ROM Pin 27, EEPROM Pin 5 = D = Data NDS to EEPROM) 17 1 - GND (ROM all unused Pins, EEPROM Pin 4 = VSS) |
| AUX Link Port |
Pin Name Cable 1 VDD35 N/A GBA Socket GBA Plug Old "8bit" Plug 2 SO Red ___________ _________ ___________ 3 SI Orange | 2 4 6 | / 2 4 6 \ | 2 4 6 | 4 SD Brown \_1_ 3 _5_/ \_1_ 3 _5_/ \_1__3__5_/ 5 SC Green '-' '-' 6 GND Blue Socket Outside View / Plug Inside View Shield Shield |
Big Plug Middle Socket Small Plug Plug 1 Plug 2 SI _________________ ____ SI SI ______ ______SI SO ____________SO |__ | ___ SO SO ______><______SO GND____________GND______|____GND GND_____________GND SD ____________SD____________ SD SD SD SC ____________SC____________ SC SC _____________ SC Shield_______Shield_______Shield Shield_______Shield |
| AUX Sound/Headphone Socket and Battery/Power Supply |
Tip Audio Left ___ ___ _____+-----------+ Middle Audio Right (___|___|_____| | Base Ground L R GND +-----------+ |
Pin SP NDS Expl. 1 P31 SL Audio LOUT _____________ 2 P32 VIN Supply Input (DC 5.2V) SW| 5 ___ 1 |SL 3 P33 SR Audio ROUT | ---- ---- | 4 P34 SG Audio GND (via 100uF to GND) |_6__4 3__2_| 5 P35 SW Audio Speaker Disable (GND=Dis) GND SG\_/SR VIN 6 GND Supply GND Shield GND |
Pin Expl. __________ 1 Supply Input (DC 5.2V) / ====== \ 2 Supply GND GND |___2__1___| VIN |
PC +5V (red) --------|>|---|>|-------- GBA BT+ PC GND (black) ------------------------- GBA BT- |
| AUX Opening the GBA |
| AUX Mainboard |
| Pinouts - CPU - Signal Summary |
| Pinouts - CPU - Pinouts |
1 VDD3 17 D0 33 A0 49 WA4 65 VDD2 81 WD9 97 LDB5 113 CK1 2 IN35 18 A15 34 /CS 50 WA5 66 WD5 82 WD1 98 LDB4 114 CK2 3 TP8 19 A14 35 /RD 51 WA6 67 WD13 83 /WOE 99 LDB3 115 VDD2 4 TP0 20 A13 36 /WR 52 WA7 68 WD6 84 DCK 100 LDB2 116 GND 5 TP1 21 A12 37 PHI 53 /WLB 69 WD14 85 LP 101 LDB1 117 VDD2 6 SO1 22 A11 38 VDD35 54 /WUB 70 WD7 86 PS 102 GND 118 VCNT5 7 SO2 23 A10 39 GND 55 /WWE 71 WD15 87 LDR5 103 VDD3 119 TP9 8 Vin 24 A9 40 SC 56 WA8 72 WD8 88 LDR4 104 SPL 120 TP6 9 /RES 25 A8 41 SD 57 WA9 73 WD16 89 LDR3 105 CLS 121 TP5 10 D7 26 A7 42 SI 58 WA10 74 WA16 90 LDR2 106 SPS 122 TP7 11 D6 27 A6 43 SO 59 WA11 75 WD12 91 LDR1 107 MOD 123 TP4 12 D5 28 A5 44 VDD2 60 WA12 76 WD4 92 LDG5 108 REVC 124 /FIQ 13 D4 29 A4 45 WA0 61 WA13 77 WD11 93 LDG4 109 GNDed 125 /RESET 14 D3 30 A3 46 WA1 62 WA14 78 WD3 94 LDG3 110 GNDed 126 TP2 15 D2 31 A2 47 WA2 63 WA15 79 WD10 95 LDG2 111 GNDed 127 TP3 16 D1 32 A1 48 WA3 64 GND 80 WD2 96 LDG1 112 GNDed 128 GND |
1 IN35 21 D0 41 A0 61 WA4 81 WD13 101 GND 121 LDB4 141 GND 2 TP8 22 A15 42 /CS 62 WA5 82 WD6 102 VDD1 122 LDB3 142 VDD3 3 TP0 23 A14 43 /RD 63 WA6 83 WD14 103 GND 123 LDB2 143 GND 4 TP1 24 A13 44 /WR 64 WA7 84 WD7 104 VDD3 124 LDB1 144 VCNT5 5 SO1 25 A12 45 PHI 65 /WLB 85 WD15 105 DCK 125 GND 145 TP9 6 SO2 26 A11 46 VDD35 66 /WUB 86 WD8 106 LP 126 VDD3 146 TP6 7 Vin 27 GND 47 GND 67 GND 87 WD16 107 PS 127 SPL 147 TP5 8 VDD1 28 VDD35 48 SC 68 VDD2 88 WA16 108 LDR5 128 CLS 148 TP7 9 GND 29 A10 49 SD 69 /WWE 89 VDD2 109 LDR4 129 SPS 149 TP4 10 VDD35 30 A9 50 SI 70 WA8 90 GND 110 LDR3 130 MOD 150 /FIQ 11 /RES 31 A8 51 SO 71 WA9 91 WD12 111 LDR2 131 REVC 151 /RESET 12 D7 32 A7 52 VDD35 72 WA10 92 WD4 112 LDR1 132 GND 152 ? 13 D6 33 A6 53 GND 73 WA11 93 WD11 113 LDG5 133 GND 153 TP3 14 D5 34 A5 54 VDD1 74 WA12 94 WD3 114 LDG4 134 GND 154 TP2 15 D4 35 A4 55 GND 75 WA13 95 WD10 115 LDG3 135 GND 155 VDD3 16 D3 36 GND 56 VDD2 76 WA14 96 WD2 116 LDG2 136 VDD1 156 GND 17 D2 37 VDD35 57 WA0 77 WA15 97 WD9 117 LDG1 137 GND 18 GND 38 A3 58 WA1 78 GND 98 WD1 118 GND 138 CK1 19 VDD35 39 A2 59 WA2 79 VDD2 99 /WOE 119 VDD3 139 CK2 20 D1 40 A1 60 WA3 80 WD5 100 VDD2 120 LDB5 140 VDD2 |
| Pinouts - Audio Amplifiers |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 C38 FR1 FR2 FL1 FL2 GND RIN LIN C39 VOL SW VDD5 LOUT VCC3 ROUT VCC3 SP GND |
1-OUT A 2-IN A 3-BYPASS 4-GND 5-SHUTDOWN 6-IN B 7-OUT A 8-VDD.VQ5 |
| Pinouts - LCD Cables |
1 ? 6 GND 11 LDR2 16 LDG2 21 LDB3 26 SPS 31 P2-VSS 36 V4 2 VSHD 7 VSHD 12 LDR1 17 LDG1 22 LDB2 27 ? 32 P2-VCC 37 V3 3 DCK 8 LDR5 13 LDG5 18 GND 23 LDB1 28 MOD 33 ? 38 V2 4 LP 9 LDR4 14 LDG4 19 LDB5 24 SPL 29 VCOM 34 VDD5 39 V1 5 PS 10 LDR3 15 LDG3 20 LDB4 25 CLS 30 P2-VEE 35 GND 40 V0 |
1 VSHD 5 VSHD 9 LDR3 13 LDG4 17 GND 21 LDB2 25 SPS 29 P2VSS 33 U83 2 DCK 6 GND 10 LDR2 14 LDG3 18 LDB5 22 LDB1 26 MOD 30 COM 34 VDD5 3 LP 7 LDR5 11 LDR1 15 LDG2 19 LDB4 23 SPL 27 REVC 31 VDD5 4 PS 8 LDR4 12 LDG5 16 LDG1 20 LDB3 24 CLS 28 P2VDD 32 GND |
___NDS upper screen/upper backlight/speakers socket (P3)_____________________ 1-SPLO 7-PS2 13-LDR2 19-GND 25-LDG2 31-LDB2 37-MOD2 43-VDD15 49-SPRO 2-SPLO 8-REV2 14-LDR1 20-DCLK2 26-LDG1 32-LDB1 38-GND 44-VDD-5 50-GND 3-SSC2 9-GND 15-LDR0 21-GND 27-LDG0 33-LDB0 39-VDD5 45-VDD-10 51-GND 4-ASC2 10-LDR5 16-LS2 22-LDG5 28-LDB5 34-GCK2 40-VDD10 46-LEDC2 5-GND 11-LDR4 17-VSHD 23-LDG4 29-LDB4 35-GSP2 41-COM2 47-LEDA2 6-SPL2 12-LDR3 18-DISP1 24-LDG3 30-LDB3 36-GND 42-GND 48-SPRO ___NDS lower screen socket (P4)______________________________________________ 1-SSC1 6-REV1 11-LDR2 16-DISP0 21-LDG4 26-LDB5 31-LDB0 36-GND 41-VDD15 2-ASC1 7-GND 12-LDR1 17-SPL1 22-LDG3 27-LDB4 32-GCK1 37-? 42-VDD10 3-GND 8-LDR5 13-LDR0 18-DCLK1 23-LDG2 28-LDB3 33-GSP1 38-VDD5 43-GND 4-? 9-LDR4 14-LS1 19-GND 24-LDG1 29-LDB2 34-VSHD 39-COM1 44-VDD-5 5-PS1 10-LDR3 15-VSHD 20-LDG5 25-LDG0 30-LDB1 35-MOD1 40-GND 45-VDD-10 ___NDS lower backlight socket (P5)____ ___NDS touchscreen socket (P6)______ 1:LEDA1 2:LEDA1 3:LEDC1 4:LEDC1 1:Y- 2:X- 3:Y+ 4:X+ |
___NDS-Lite upper screen/upper backlight/speakers socket (P3)________________ 1-VDD-5 6-MOD 11-LD2xx 16-LD2xx 21-LD2xx 26-LD2xx 31-LS 36-GND 41-SPRO 2-VDD10 7-GSP 12-LD2xx 17-LD2xx 22-LD2xx 27-LD2xx 32-VSHD 37-COM2 42-SG 3-VDD5 8-GCK 13-LD2xx 18-GND 23-LD2xx 28-GND 33-GND 38-LEDA2 43-SG 4-GND 9-LD2xx 14-LD2xx 19-LD2xx 24-LD2xx 29-DCLK 34-xx2? 39-LEDC2 44-SPLO 5-VSHD 10-LD2xx 15-LD2xx 20-LD2xx 25-LD2xx 30-SPL 35-REV 40-SPRO 45-SPLO ___NDS-Lite lower screen/lower backlight (P4)________________________________ 1-VDD-5 6-MOD 11-LD1xx 16-LD1xx 21-LD1xx 26-LD1xx 31-LS 36-GND 2-VDD10 7-GSP 12-LD1xx 17-LD1xx 22-LD1xx 27-LD1xx 32-VSHD 37-COM1 3-VDD5 8-GCK 13-LD1xx 18-GND 23-LD1xx 28-GND 33-GND 38-LEDA1 4-GND 9-LD1xx 14-LD1xx 19-LD1xx 24-LD1xx 29-DCLK 34-xx1? 39-LEDC1 5-VSHD 10-LD1xx 15-LD1xx 20-LD1xx 25-LD1xx 30-SPL 35-REV ___NDS-Lite touchscreen socket (P6)______ ___NDS-Lite white coax (P12)_____ 1:X- 2:Y- 3:X+ 4:Y+ Center:MICIN Shield:GND |
| Pinouts - Power Switches, DC/DC Converters, Reset Generators |
1 via resistor to GND (OFF) 2 VS (BT+) (ON) C VCC (to board) |
C1 VDD35 (to S2 when PRESSED, to S1 when RELEASED) S1 VDD3 (to C2 when PRESSED, to C1 when RELEASED) C2 IN35 (to S1 when PRESSED) S2 VDD5 (to C1 when PRESSED) |
1-VIN 2-VOUT5 3-CSS5 4-VDRV5 5-GND 6-VDRV3 7-CSS3 8-VOUT3 9-VCNT5 10-CSCP 11-REGEXT 12-VDD3 13-VDD2 14-/RESET 15-LOWBAT 16-VDD13 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ? ? REVC U3-COM V0 V1 ? ? ? GND ? V2 ? V3 V4 VDD5 U3-VDD ? |
1-VCC 2-SCP1 3-SCP2 4-VDRV3 5-VOUT3/VDD3 6-VDD2 7-VOUT1/VDD1 8-VDRV1 9-LOWBAT 10-VCNT5 11-LS5 12-? 13-GND 14-? 15-VOUT5/VDD5 16-VDRV5 |
1-TIN 2-U5C3 3-ADJ 4-U5VDD 5-VIN 6-? 7-U57 8-? 9-to-C29 10-to-C30 11-? 12-GND 13-VS 14-S- 15-S+ 16-U5OUT |
1 R50-EXTB+ 17 33 LEDC1 49 VCNT5 2 R39-ORANGE 18 34 GND 50 3 GND 19 VQ5 35 LEDC2 51 RST 4 20 36 52 5 Rxx-Q4 21 37 U10-LEDA2 53 6 INS+ 22 GND 38 54 7 INS- 23 VQ5 39 MIC.C53-AIN 55 VQ5 8 24 40 MIC.TSC.AUX 56 R24-SR 9 VDET 25 VDD3.3 41 GND 57 10 PVDD 26 GND 42 R38-RED 58 R22-SL 11 27 CL60-VDD3.3 43 R37-GREEN 59 GND 12 PWSW 28 VSHD 44 VDD3.3 60 VR3.PIN2 13 29 45 PWM.SPI.CLK 61 14 GND 30 VDD5 46 PWM.SPI.D 62 15 GND 31 U9-LEDA1 47 PWM.SPI.Q 63 16 VQ5 32 48 PWM.SPI.SEL 64 GND |
1 SW 17 33 LEDC1 49 VCNT5 2 R50-EXTB+ 18 34 GND 50 3 R39-ORANGE 19 VQ5 35 LEDC2 51 RST 4 GND 20 36 52 5 21 37 U10-LEDA2 53 6 R30-Q4 22 GND 38 54 7 INS+ 23 VQ5 39 MIC.C53-AIN 55 CL63-VQ5 8 INS- 24 40 MIC.TSC.AUX 56 R24-SR 9 VDET 25 VDD3.3 41 GND 57 SPRO 10 PVDD 26 GND 42 R38-RED 58 SPLO 11 27 CL60-VDD3.3 43 R37-GREEN 59 R22-SL 12 PWSW 28 VSHD 44 VDD3.3 60 GND 13 GND 29 45 PWM.SPI.CLK 61 R79-VR3.PIN2 14 GND 30 VDD5 46 PWM.SPI.D 62 15 GND 31 U9-LEDA1 47 PWM.SPI.Q 63 16 VQ5 32 48 PWM.SPI.SEL 64 |
1 PWSW (grounded when switch is pulled) 2 GND 3 GND 4 NC? (grounded when switch is not pulled) |
| Pinouts - Wifi |
1 N/A 6 FMW.CLK 11 ENABLE 16 RX.DTA? 21 BB./CS 26 22MHz 31 GND 2 GND 7 FMW./SEL 12 GND 17 TX.MAIN 22 RF./CS 27 GND 32 GND 3 high? 8 FMW.DTA.Q 13 GND 18 GND 23 BB.RF.CLK 28 VDD3.3 33 GND 4 RXTX.ON 9 FMW.DTA.D 14 TX.ON 19 TX.CLK 24 BB.RF.RD 29 VDD1.8 5 FMW./WP 10 FMW./RES 15 RX.ON 20 TX.DTA 25 BB.RF.WR 30 GND |
1 GND 6 GND 11 BB.RF.WR 16 VDD3.3 21 hi? 26 FMW.Q 2 lo? 7 hi? 12 BB.RF.CLK 17 GND 22 FMW./RES 27 FMW./WP 3 hi? 8 hi? 13 GND 18 RF./CS 23 GND 28 FMW./CS 4 hi? 9 GND 14 hi? 19 hi? 24 FMW.CLK 29 hi? 5 hi? 10 hi? 15 GND 20 BB./CS 25 FMW.D 30 GND |
1 5 9 13 17 21 RF.CLK 25 29 2 6 10 14 GND 18 22 26 30 3 7 11 15 19 RF.RD 23 27 31 4 8 12 16 20 RF./CS 24 28 32 |
1 GND 7 13 GND 19 25 31 37 TX.MAIN 43 2 8 14 20 26 32 BB./CS 38 RX.DTA? 44 3 9 15 BB.CLK 21 27 33 TX.DTA 39 RX.ON 45 GND 4 10 16 BB.WR 22 28 RST 34 RXTX.ON 40 TX.ON 46 5 11 17 BB.RD 23 29 35 TX.CLK 41 47 6 12 18 22MHz 24 30 36 42 48 |
1- 8-GND 15- 22-GND 29- 36- 43- 50- 2-GND 9- 16- 23- 30- 37- 44- 51- 3- 10-GND 17- 24- 31- 38- 45- 52- 4- 11-GND 18- 25- 32- 39-GND 46- 53- 5- 12-GND 19- 26- 33- 40- 47- 54- 6- 13- 20- 27- 34- 41- 48- 55- 7- 14- 21- 28- 35- 42- 49-GND 56- |
RX.DTA? __________________________________________________________ RXTX.ON __-----------------------_________________________________ RX.ON __---_______-------------_________________________________ TX.ON _____-------______________________________________________ TX.MAIN ________----______________________________________________ TX.CLK _____#__####______________________________________________ TX.DTA _____#__####______________________________________________ |
RX.DTA? __________________________________________________________ RXTX.ON -----------------------------------------------______----- RX.ON -----------------------------------------------_________-- TX.ON __________________________________________________________ TX.MAIN __________________________________________________________ TX.CLK __________________________________________________________ TX.DTA _______________________________________________---________ |
| Pinouts - Various |
1 A15 7 A9 13 IC 19 A6 25 A0 31 D2 37 VCC 43 D15 2 A14 8 A8 14 /UB 20 A5 26 /CE1 32 D10 38 D5 44 D8 3 A13 9 NC 15 /LB 21 A4 27 GND 33 D3 39 D13 45 D16 4 A12 10 NC 16 NC 22 A3 28 /OE 34 D11 40 D6 46 GND 5 A11 11 /WE 17 NC 23 A2 29 D1 35 D4 41 D14 47 NC 6 A10 12 CE2 18 A7 24 A1 30 D9 36 D12 42 D7 48 A16 |
______ _____ GND--|1 U8 6|-- U85 | |--VDD5 U82--|2 5|-- U85 U61-| Q12 | U83 ------> to display U83--|3____4|-- U82 |_____|--Q12B Q12B <------ from button U61--|1 U6 8|--VDD5 (X)---R51--VDD5 (X)---C70--GND U62--|2 7|--VDD5 U62---R49--VDD5 U61---R40--GND U62--|3 6|--(X) Q12B--R39--VDD5 U82---R38--GND GND--|4____5|--NC? Q12B--C69--VDD5 U85---R50--U62 |
| AUX Xboo PC-to-GBA Multiboot Cable |
GBA Name Color SUBD CNTR Name 2 SO Red ------------- 10 10 /ACK 3 SI Orange ------------- 14 14 /AUTOLF 5 SC Green ------------- 1 1 /STROBE 6 GND Blue ------------- 19 19 GND |
4 SD Brown ------------- 17 36 /SELECT (double speed burst) 3 SI Orange ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm) 5 SC Green ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm) 4 SD Brown ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm) START (mainboard) -----|>|----- 16 31 /INIT (auto-reset, 1N4148) SELECT (mainboard) -----|>|----- 16 31 /INIT (auto-reset, 1N4148) RESET (mainboard) -----||------ 16 31 /INIT (auto-reset, 300nF) |
Boot Mode_____Delay 0_______Delay 1_______Delay 2_____ Double Burst 0.1s - 1.8s 0.1s - 3.7s 0.1s - 5.3s Single Burst 0.1s - 3.6s 0.1s - 7.1s 0.1s - 10.6s Normal Bios 4.0s - 9.0s 4.0s - 12.7s 4.0s - 16.3s |
1) Connect it to the GBA link port. Advantage: No need to
open/modify the GBA. Disadvantage: You need a special plug,
(typically gained by removing it from a gameboy link cable).
2) Solder the cable directly to the GBA link port pins. Advantages:
No plug required & no need to open the GBA. Disadvantages:
You can't remove the cable, and the link port becomes unusable.
3) Solder the cable directly to the GBA mainboard. Advantage: No
plug required at the GBA side. Disadvantage: You'll always
have a cable leaping out of the GBA even when not using it,
unless you put a small standard plug between GBA and cable.
4) Install a Centronics socket in the GBA (between power switch
and headphone socket). Advantage: You can use a standard
printer cable. Disadvantages: You need to cut a big hole into
the GBAs battery box (which cannot be used anymore), the big
cable might be a bit uncomfortable when holding the GBA.
|
| AUX Xboo Flashcard Upload |
| AUX Xboo Burst Boot Backdoor |
Send (PC) Reply (GBA) "BRST" "BOOT" ;request burst, and reply <prepared> for boot <wait 1/16s> <process IRQ> ;long delay, allow slave to enter IRQ handler llllllll "OKAY" ;send length in bytes, reply <ready> to boot dddddddd -------- ;send data in 32bit units, reply don't care cccccccc cccccccc ;exchange crc (all data units added together) |
.arm ;select 32bit ARM instruction set .gba ;indicate that it's a gameboy advance program .fix ;automatically fix the cartridge header checksum org 2000000h ;origin in RAM for multiboot-cable/no$gba-cutdown programs ;------------------ ;cartridge header/multiboot header b rom_start ;-rom entry point dcb ...insert logo here... ;-nintento logo (156 bytes) dcb 'XBOO SAMPLE ' ;-title (12 bytes) dcb 0,0,0,0, 0,0 ;-game code (4 bytes), maker code (2 bytes) dcb 96h,0,0 ;-fixed value 96h, main unit code, device type dcb 0,0,0,0,0,0,0 ;-reserved (7 bytes) dcb 0 ;-software version number dcb 0 ;-header checksum (set by .fix) dcb 0,0 ;-reserved (2 bytes) b ram_start ;-multiboot ram entry point dcb 0,0 ;-multiboot reserved bytes (destroyed by BIOS) dcb 0,0 ;-blank padded (32bit alignment) ;------------------ irq_handler: ;interrupt handler (note: r0-r3 are pushed by BIOS) mov r1,4000000h ;\get I/O base address, ldr r0,[r1,200h] ;IE/IF ; read IE and IF, and r0,r0,r0,lsr 16 ; isolate occurred AND enabled irqs, add r3,r1,200h ;IF ; and acknowledge these in IF strh r0,[r3,2] ;/ ldrh r3,[r1,-8] ;\mix up with BIOS irq flags at 3007FF8h, orr r3,r3,r0 ; aka mirrored at 3FFFFF8h, this is required strh r3,[r1,-8] ;/when using the (VBlank-)IntrWait functions and r3,r0,80h ;IE/IF.7 SIO ;\ cmp r3,80h ; check if it's a burst boot interrupt ldreq r2,[r1,120h] ;SIODATA32 ; (if interrupt caused by serial transfer, ldreq r3,[msg_brst] ; and if received data is "BRST", cmpeq r2,r3 ; then jump to burst boot) beq burst_boot ;/ ;... insert your own interrupt handler code here ... bx lr ;-return to the BIOS interrupt handler ;------------------ burst_boot: ;requires incoming r1=4000000h ;... if your program uses DMA, disable any active DMA transfers here ... ldr r4,[msg_okay] ;\ bl sio_transfer ; receive transfer length/bytes & reply "OKAY" mov r2,r0 ;len ;/ mov r3,3000000h ;dst ;\ mov r4,0 ;crc ; @@lop: ; bl sio_transfer ; download burst loader to 3000000h and up stmia [r3]!,r0 ;dst ; add r4,r4,r0 ;crc ; subs r2,r2,4 ;len ; bhi @@lop ;/ bl sio_transfer ;-send crc value to master b 3000000h ;ARM state! ;-launch actual transfer / start the loader ;------------------ sio_transfer: ;serial transfer subroutine, 32bit normal mode, external clock str r4,[r1,120h] ;siodata32 ;-set reply/send data ldr r0,[r1,128h] ;siocnt ;\ orr r0,r0,80h ; activate slave transfer str r0,[r1,128h] ;siocnt ;/ @@wait: ;\ ldr r0,[r1,128h] ;siocnt ; wait until transfer completed tst r0,80h ; bne @@wait ;/ ldr r0,[r1,120h] ;siodata32 ;-get received data bx lr ;--- msg_boot dcb 'BOOT' ;\ msg_okay dcb "OKAY" ; ID codes for the burstboot protocol msg_brst dcb "BRST" ;/ ;------------------ download_rom_to_ram: mov r0,8000000h ;src/rom ;\ mov r1,2000000h ;dst/ram ; mov r2,40000h/16 ;length ; transfer the ROM content @@lop: ; into RAM (done in units of 4 words/16 bytes) ldmia [r0]!,r4,r5,r6,r7 ; currently fills whole 256K of RAM, stmia [r1]!,r4,r5,r6,r7 ; even though the proggy is smaller subs r2,r2,1 ; bne @@lop ;/ sub r15,lr,8000000h-2000000h ;-return (retadr rom/8000XXXh -> ram/2000XXXh) ;------------------ init_interrupts: mov r4,4000000h ;-base address for below I/O registers ldr r0,=irq_handler ;\install IRQ handler address str r0,[r4,-4] ;IRQ HANDLER ;/at 3FFFFFC aka 3007FFC mov r0,0008h ;\enable generating vblank irqs strh r0,[r4,4h] ;DISPSTAT ;/ mrs r0,cpsr ;\ bic r0,r0,80h ; cpu interrupt enable (clear i-flag) msr cpsr,r0 ;/ mov r0,0 ;\ str r0,[r4,134h] ;RCNT ; init SIO normal mode, external clock, ldr r0,=5080h ; 32bit, IRQ enable, transfer started str r0,[r4,128h] ;SIOCNT ; output "BOOT" (indicate burst boot prepared) ldr r0,[msg_boot] ; str r0,[r4,120h] ;SIODATA32 ;/ mov r0,1 ;\interrupt master enable str r0,[r4,208h] ;IME=1 ;/ mov r0,81h ;\enable execution of vblank IRQs, str r0,[r4,200h] ;IE=81h ;/and of SIO IRQs (burst boot) bx lr ;------------------ rom_start: ;entry point when booted from flashcart/rom bl download_rom_to_ram ;-download ROM to RAM (returns to ram_start) ram_start: ;entry point for multiboot/burstboot mov r0,0feh ;\reset all registers, and clear all memory swi 10000h ;RegisterRamReset ;/(except program code in wram at 2000000h) bl init_interrupts ;-install burst boot irq handler mov r4,4000000h ;\enable video, strh r4,[r4,000h] ;DISPCNT ;/by clearing the forced blank bit @@mainloop: swi 50000h ;VBlankIntrWait ;-wait one frame (cpu in low power mode) mov r5,5000000h ;\increment the backdrop palette color str r8,[r5] ; (ie. display a blinking screen) add r8,r8,1 ;/ b @@mainloop ;------------------ .pool end |
| CPU Reference |
| CPU Overview |
8bit - Byte 16bit - Halfword 32bit - Word |
- Each single opcode provides more functionality, resulting in faster execution when using a 32bit bus memory system (such like opcodes stored in GBA Work RAM). - All registers R0-R15 can be accessed directly. |
- Not so fast when using 16bit memory system (but it still works though). - Program code occupies more memory space. |
- Faster execution up to approx 160% when using a 16bit bus memory system (such like opcodes stored in GBA GamePak ROM). - Reduces code size, decreases memory overload down to approx 65%. |
- Not as multi-functional opcodes as in ARM state, so it will be sometimes required use more than one opcode to gain a similar result as for a single opcode in ARM state. - Most opcodes allow only registers R0-R7 to be used directly. |
| CPU Register Set |
System/User FIQ Supervisor Abort IRQ Undefined -------------------------------------------------------------- R0 R0 R0 R0 R0 R0 R1 R1 R1 R1 R1 R1 R2 R2 R2 R2 R2 R2 R3 R3 R3 R3 R3 R3 R4 R4 R4 R4 R4 R4 R5 R5 R5 R5 R5 R5 R6 R6 R6 R6 R6 R6 R7 R7 R7 R7 R7 R7 -------------------------------------------------------------- R8 R8_fiq R8 R8 R8 R8 R9 R9_fiq R9 R9 R9 R9 R10 R10_fiq R10 R10 R10 R10 R11 R11_fiq R11 R11 R11 R11 R12 R12_fiq R12 R12 R12 R12 R13 (SP) R13_fiq R13_svc R13_abt R13_irq R13_und R14 (LR) R14_fiq R14_svc R14_abt R14_irq R14_und R15 (PC) R15 R15 R15 R15 R15 -------------------------------------------------------------- CPSR CPSR CPSR CPSR CPSR CPSR -- SPSR_fiq SPSR_svc SPSR_abt SPSR_irq SPSR_und -------------------------------------------------------------- |
| CPU Flags |
Bit Expl. 31 N - Sign Flag (0=Not Signed, 1=Signed) 30 Z - Zero Flag (0=Not Zero, 1=Zero) 29 C - Carry Flag (0=No Carry, 1=Carry) 28 V - Overflow Flag (0=No Overflow, 1=Overflow) 27 Q - Sticky Overflow (1=Sticky Overflow, ARMv5TE and up only) 26-8 Reserved (For future use) - Do not change manually! 7 I - IRQ disable (0=Enable, 1=Disable) 6 F - FIQ disable (0=Enable, 1=Disable) 5 T - State Bit (0=ARM, 1=THUMB) - Do not change manually! 4-0 M4-M0 - Mode Bits (See below) |
Binary Hex Dec Expl. 10000b 10h 16 - User (non-privileged) 10001b 11h 17 - FIQ 10010b 12h 18 - IRQ 10011b 13h 19 - Supervisor (SWI) 10111b 17h 23 - Abort 11011b 1Bh 27 - Undefined 11111b 1Fh 31 - System (privileged 'User' mode) (ARMv4 and up) |
| CPU Exceptions |
Address Exception Mode on Entry Interrupt Flags BASE+00h Reset Supervisor (_svc) I=1, F=1 BASE+04h Undefined Instruction Undefined (_und) I=1, F=unchanged BASE+08h Software Interrupt (SWI) Supervisor (_svc) I=1, F=unchanged BASE+0Ch Prefetch Abort Abort (_abt) I=1, F=unchanged BASE+10h Data Abort Abort (_abt) I=1, F=unchanged BASE+14h (Reserved) - - - BASE+18h Normal Interrupt (IRQ) IRQ (_irq) I=1, F=unchanged BASE+1Ch Fast Interrupt (FIQ) FIQ (_fiq) I=1, F=1 |
- R14=PC+nn ;save old PC, ie. return address - SPSR_<new mode>=CPSR ;save old flags - CPSR new T,M bits ;set to T=0 (ARM state), and M4-0=new mode - CPSR new I bit ;IRQs disabled (I=1), done by ALL exceptions - CPSR new F bit ;FIQs disabled (F=1), done by Reset and FIQ only - PC=exception_vector ;see table above |
SUBS PC,R14,4 ;both PC=R14_irq-4, and CPSR=SPSR_irq |
MOVS PC,R14 ;both PC=R14_svc, and CPSR=SPSR_svc |
MOVS PC,R14 ;both PC=R14_und, and CPSR=SPSR_und |
prefetch abort: SUBS PC,R14,#4 ;PC=R14_abt-4, and CPSR=SPSR_abt data abort: SUBS PC,R14,#8 ;PC=R14_abt-8, and CPSR=SPSR_abt |
| CPU Memory Alignments |
LDRH Rd,[odd] --> LDRH Rd,[odd-1] ;forced align LDRSH Rd,[odd] --> LDRSH Rd,[odd-1] ;forced align |
LDRH Rd,[odd] --> LDRH Rd,[odd-1] ROR 8 ;read to bit0-7 and bit24-31 LDRSH Rd,[odd] --> LDRSB Rd,[odd] ;sign-expand BYTE value |
| THUMB Instruction Set |
| THUMB Instruction Summary |
Instruction Cycles Flags Format Expl. MOV Rd,Imm8bit 1S NZ-- 3 Rd=nn MOV Rd,Rs 1S NZ00 2 Rd=Rs+0 MOV R0..14,R8..15 1S ---- 5 Rd=Rs MOV R8..14,R0..15 1S ---- 5 Rd=Rs MOV R15,R0..15 2S+1N ---- 5 PC=Rs MVN Rd,Rs 1S NZ-- 4 Rd=NOT Rs AND Rd,Rs 1S NZ-- 4 Rd=Rd AND Rs TST Rd,Rs 1S NZ-- 4 Void=Rd AND Rs BIC Rd,Rs 1S NZ-- 4 Rd=Rd AND NOT Rs ORR Rd,Rs 1S NZ-- 4 Rd=Rd OR Rs EOR Rd,Rs 1S NZ-- 4 Rd=Rd XOR Rs LSL Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SHL nn LSL Rd,Rs 1S+1I NZc- 4 Rd=Rd SHL (Rs AND 0FFh) LSR Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SHR nn LSR Rd,Rs 1S+1I NZc- 4 Rd=Rd SHR (Rs AND 0FFh) ASR Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SAR nn ASR Rd,Rs 1S+1I NZc- 4 Rd=Rd SAR (Rs AND 0FFh) ROR Rd,Rs 1S+1I NZc- 4 Rd=Rd ROR (Rs AND 0FFh) NOP 1S ---- 5 R8=R8 |
Instruction Cycles Flags Format Expl. ADD Rd,Rs,Imm3bit 1S NZCV 2 Rd=Rs+nn ADD Rd,Imm8bit 1S NZCV 3 Rd=Rd+nn ADD Rd,Rs,Rn 1S NZCV 2 Rd=Rs+Rn ADD R0..14,R8..15 1S ---- 5 Rd=Rd+Rs ADD R8..14,R0..15 1S ---- 5 Rd=Rd+Rs ADD R15,R0..15 2S+1N ---- 5 PC=Rd+Rs ADD Rd,PC,Imm8bit*4 1S ---- 12 Rd=(($+4) AND NOT 2)+nn ADD Rd,SP,Imm8bit*4 1S ---- 12 Rd=SP+nn ADD SP,Imm7bit*4 1S ---- 13 SP=SP+nn ADD SP,-Imm7bit*4 1S ---- 13 SP=SP-nn ADC Rd,Rs 1S NZCV 4 Rd=Rd+Rs+Cy SUB Rd,Rs,Imm3Bit 1S NZCV 2 Rd=Rs-nn SUB Rd,Imm8bit 1S NZCV 3 Rd=Rd-nn SUB Rd,Rs,Rn 1S NZCV 2 Rd=Rs-Rn SBC Rd,Rs 1S NZCV 4 Rd=Rd-Rs-NOT Cy NEG Rd,Rs 1S NZCV 4 Rd=0-Rs CMP Rd,Imm8bit 1S NZCV 3 Void=Rd-nn CMP Rd,Rs 1S NZCV 4 Void=Rd-Rs CMP R0-15,R8-15 1S NZCV 5 Void=Rd-Rs CMP R8-15,R0-15 1S NZCV 5 Void=Rd-Rs CMN Rd,Rs 1S NZCV 4 Void=Rd+Rs MUL Rd,Rs 1S+mI NZx- 4 Rd=Rd*Rs |
Instruction Cycles Flags Format Expl.
B disp 2S+1N ---- 18 PC=$+/-2048
BL disp 3S+1N ---- 19 PC=$+/-4M, LR=$+5
B{cond=true} disp 2S+1N ---- 16 PC=$+/-0..256
B{cond=false} disp 1S ---- 16 N/A
BX R0..15 2S+1N ---- 5 PC=Rs, ARM/THUMB (Rs bit0)
SWI Imm8bit 2S+1N ---- 17 PC=8, ARM SVC mode, LR=$+2
BKPT Imm8bit ??? ---- 17 ??? ARM9 Prefetch Abort
BLX disp ??? ---- ??? ??? ARM9
BLX R0..R14 ??? ---- ??? ??? ARM9
POP {Rlist,}PC (n+1)S+2N+1I ---- 14
MOV R15,R0..15 2S+1N ---- 5 PC=Rs
ADD R15,R0..15 2S+1N ---- 5 PC=Rd+Rs
|
Instruction Cycles Flags Format Expl.
LDR Rd,[Rb,5bit*4] 1S+1N+1I ---- 9 Rd = WORD[Rb+nn]
LDR Rd,[PC,8bit*4] 1S+1N+1I ---- 6 Rd = WORD[PC+nn]
LDR Rd,[SP,8bit*4] 1S+1N+1I ---- 11 Rd = WORD[SP+nn]
LDR Rd,[Rb,Ro] 1S+1N+1I ---- 7 Rd = WORD[Rb+Ro]
LDRB Rd,[Rb,5bit*1] 1S+1N+1I ---- 9 Rd = BYTE[Rb+nn]
LDRB Rd,[Rb,Ro] 1S+1N+1I ---- 7 Rd = BYTE[Rb+Ro]
LDRH Rd,[Rb,5bit*2] 1S+1N+1I ---- 10 Rd = HALFWORD[Rb+nn]
LDRH Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = HALFWORD[Rb+Ro]
LDSB Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = SIGNED_BYTE[Rb+Ro]
LDSH Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = SIGNED_HALFWORD[Rb+Ro]
STR Rd,[Rb,5bit*4] 2N ---- 9 WORD[Rb+nn] = Rd
STR Rd,[SP,8bit*4] 2N ---- 11 WORD[SP+nn] = Rd
STR Rd,[Rb,Ro] 2N ---- 7 WORD[Rb+Ro] = Rd
STRB Rd,[Rb,5bit*1] 2N ---- 9 BYTE[Rb+nn] = Rd
STRB Rd,[Rb,Ro] 2N ---- 7 BYTE[Rb+Ro] = Rd
STRH Rd,[Rb,5bit*2] 2N ---- 10 HALFWORD[Rb+nn] = Rd
STRH Rd,[Rb,Ro] 2N ---- 8 HALFWORD[Rb+Ro]=Rd
PUSH {Rlist}{LR} (n-1)S+2N ---- 14
POP {Rlist}{PC} ---- 14 (ARM9: with mode switch)
STMIA Rb!,{Rlist} (n-1)S+2N ---- 15
LDMIA Rb!,{Rlist} nS+1N+1I ---- 15
|
Form|_15|_14|_13|_12|_11|_10|_9_|_8_|_7_|_6_|_5_|_4_|_3_|_2_|_1_|_0_|
__1_|_0___0___0_|__Op___|_______Offset______|____Rs_____|____Rd_____|Shifted
__2_|_0___0___0___1___1_|_I,_Op_|___Rn/nn___|____Rs_____|____Rd_____|ADD/SUB
__3_|_0___0___1_|__Op___|____Rd_____|_____________Offset____________|Immedi.
__4_|_0___1___0___0___0___0_|______Op_______|____Rs_____|____Rd_____|AluOp
__5_|_0___1___0___0___0___1_|__Op___|Hd_|Hs_|____Rs_____|____Rd_____|HiReg/BX
__6_|_0___1___0___0___1_|____Rd_____|_____________Word______________|LDR PC
__7_|_0___1___0___1_|__Op___|_0_|___Ro______|____Rb_____|____Rd_____|LDR/STR
__8_|_0___1___0___1_|__Op___|_1_|___Ro______|____Rb_____|____Rd_____|""H/SB/SH
__9_|_0___1___1_|__Op___|_______Offset______|____Rb_____|____Rd_____|""{B}
_10_|_1___0___0___0_|Op_|_______Offset______|____Rb_____|____Rd_____|""H
_11_|_1___0___0___1_|Op_|____Rd_____|_____________Word______________|"" SP
_12_|_1___0___1___0_|Op_|____Rd_____|_____________Word______________|ADD PC/SP
_13_|_1___0___1___1___0___0___0___0_|_S_|___________Word____________|ADD SP,nn
_14_|_1___0___1___1_|Op_|_1___0_|_R_|____________Rlist______________|PUSH/POP
_17_|_1___0___1___1___1___1___1___0_|___________User_Data___________|BKPT ARM9
_15_|_1___1___0___0_|Op_|____Rb_____|____________Rlist______________|STM/LDM
_16_|_1___1___0___1_|_____Cond______|_________Signed_Offset_________|B{cond}
_U__|_1___1___0___1___1___1___1___0_|_____________var_______________|UNDEF ARM9
_17_|_1___1___0___1___1___1___1___1_|___________User_Data___________|SWI
_18_|_1___1___1___0___0_|________________Offset_____________________|B
_19_|_1___1___1___0___1_|_________________________var___________|_0_|BLXsuf ARM9
_U__|_1___1___1___0___1_|_________________________var___________|_1_|UNDEF ARM9
_19_|_1___1___1___1_|_H_|______________Offset_Low/High______________|BL (BLX ARM9)
|
1011 0001 xxxxxxxx (reserved) 1011 0x1x xxxxxxxx (reserved) 1011 10xx xxxxxxxx (reserved) 1011 1111 xxxxxxxx (reserved) 1101 1110 xxxxxxxx (free for user) |
| THUMB.1: move shifted register |
Bit Expl.
15-13 Must be 000b for 'move shifted register' instructions
12-11 Opcode
00b: LSL Rd,Rs,#Offset (logical/arithmetic shift left)
01b: LSR Rd,Rs,#Offset (logical shift right)
10b: ASR Rd,Rs,#Offset (arithmetic shift right)
11b: Reserved (used for add/subtract instructions)
10-6 Offset (0-31)
5-3 Rs - Source register (R0..R7)
2-0 Rd - Destination register (R0..R7)
|
| THUMB.2: add/subtract |
Bit Expl.
15-11 Must be 00011b for 'add/subtract' instructions
10-9 Opcode (0-3)
0: ADD Rd,Rs,Rn ;add register Rd=Rs+Rn
1: SUB Rd,Rs,Rn ;subtract register Rd=Rs-Rn
2: ADD Rd,Rs,#nn ;add immediate Rd=Rs+nn
3: SUB Rd,Rs,#nn ;subtract immediate Rd=Rs-nn
Pseudo/alias opcode with Imm=0:
2: MOV Rd,Rs ;move (affects cpsr) Rd=Rs+0
8-6 For Register Operand:
Rn - Register Operand (R0..R7)
For Immediate Operand:
nn - Immediate Value (0-7)
5-3 Rs - Source register (R0..R7)
2-0 Rd - Destination register (R0..R7)
|
| THUMB.3: move/compare/add/subtract immediate |
Bit Expl.
15-13 Must be 001b for this type of instructions
12-11 Opcode
00b: MOV Rd,#nn ;move Rd = #nn
01b: CMP Rd,#nn ;compare Void = Rd - #nn
10b: ADD Rd,#nn ;add Rd = Rd + #nn
11b: SUB Rd,#nn ;subtract Rd = Rd - #nn
10-8 Rd - Destination Register (R0..R7)
7-0 nn - Unsigned Immediate (0-255)
|
| THUMB.4: ALU operations |
Bit Expl.
15-10 Must be 010000b for this type of instructions
9-6 Opcode (0-Fh)
0: AND Rd,Rs ;AND logical Rd = Rd AND Rs
1: EOR Rd,Rs ;XOR logical Rd = Rd XOR Rs
2: LSL Rd,Rs ;log. shift left Rd = Rd << (Rs AND 0FFh)
3: LSR Rd,Rs ;log. shift right Rd = Rd >> (Rs AND 0FFh)
4: ASR Rd,Rs ;arit shift right Rd = Rd SAR (Rs AND 0FFh)
5: ADC Rd,Rs ;add with carry Rd = Rd + Rs + Cy
6: SBC Rd,Rs ;sub with carry Rd = Rd - Rs - NOT Cy
7: ROR Rd,Rs ;rotate right Rd = Rd ROR (Rs AND 0FFh)
8: TST Rd,Rs ;test Void = Rd AND Rs
9: NEG Rd,Rs ;negate Rd = 0 - Rs
A: CMP Rd,Rs ;compare Void = Rd - Rs
B: CMN Rd,Rs ;neg.compare Void = Rd + Rs
C: ORR Rd,Rs ;OR logical Rd = Rd OR Rs
D: MUL Rd,Rs ;multiply Rd = Rd * Rs
E: BIC Rd,Rs ;bit clear Rd = Rd AND NOT Rs
F: MVN Rd,Rs ;not Rd = NOT Rs
5-3 Rs - Source Register (R0..R7)
2-0 Rd - Destination Register (R0..R7)
|
N,Z,C,V for ADC,SBC,NEG,CMP,CMN N,Z,C for LSL,LSR,ASR,ROR (carry flag unchanged if zero shift amount) N,Z,C for MUL on ARMv4 and below: carry flag destroyed N,Z for MUL on ARMv5 and above: carry flag unchanged N,Z for AND,EOR,TST,ORR,BIC,MVN |
1S for AND,EOR,ADC,SBC,TST,NEG,CMP,CMN,ORR,BIC,MVN 1S+1I for LSL,LSR,ASR,ROR 1S+mI for MUL on ARMv4 (m=1..4; depending on MSBs of incoming Rd value) 1S+mI for MUL on ARMv5 (m=3; fucking slow, no matter of MSBs of Rd value) |
| THUMB.5: Hi register operations/branch exchange |
Bit Expl.
15-10 Must be 010001b for this type of instructions
9-8 Opcode (0-3)
0: ADD Rd,Rs ;add Rd = Rd+Rs
1: CMP Rd,Rs ;compare Void = Rd-Rs ;CPSR affected
2: MOV Rd,Rs ;move Rd = Rs
2: NOP ;nop R8 = R8
3: BX Rs ;jump PC = Rs ;may switch THUMB/ARM
3: BLX Rs ;call PC = Rs ;may switch THUMB/ARM (ARM9)
7 MSBd - Destination Register most significant bit (or BL/BLX flag)
6 MSBs - Source Register most significant bit
5-3 Rs - Source Register (together with MSBs: R0..R15)
2-0 Rd - Destination Register (together with MSBd: R0..R15)
|
Processor will be switched into ARM mode! If so, Bit 1 of Rs must be cleared (32bit word aligned). Thus, BX PC (switch to ARM) may be issued from word-aligned address only, the destination is PC+4 (ie. the following halfword is skipped). |
1S for ADD/MOV/CMP 2S+1N for ADD/MOV with Rd=R15, and for BX |
| THUMB.6: load PC-relative |
Bit Expl.
15-11 Must be 01001b for this type of instructions
N/A Opcode (fixed)
LDR Rd,[PC,#nn] ;load 32bit Rd = WORD[PC+nn]
10-8 Rd - Destination Register (R0..R7)
7-0 nn - Unsigned offset (0-1020 in steps of 4)
|
| THUMB.7: load/store with register offset |
Bit Expl.
15-12 Must be 0101b for this type of instructions
11-10 Opcode (0-3)
0: STR Rd,[Rb,Ro] ;store 32bit data WORD[Rb+Ro] = Rd
1: STRB Rd,[Rb,Ro] ;store 8bit data BYTE[Rb+Ro] = Rd
2: LDR Rd,[Rb,Ro] ;load 32bit data Rd = WORD[Rb+Ro]
3: LDRB Rd,[Rb,Ro] ;load 8bit data Rd = BYTE[Rb+Ro]
9 Must be zero (0) for this type of instructions
8-6 Ro - Offset Register (R0..R7)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
| THUMB.8: load/store sign-extended byte/halfword |
Bit Expl.
15-12 Must be 0101b for this type of instructions
11-10 Opcode (0-3)
0: STRH Rd,[Rb,Ro] ;store 16bit data HALFWORD[Rb+Ro] = Rd
1: LDSB Rd,[Rb,Ro] ;load sign-extended 8bit Rd = BYTE[Rb+Ro]
2: LDRH Rd,[Rb,Ro] ;load zero-extended 16bit Rd = HALFWORD[Rb+Ro]
3: LDSH Rd,[Rb,Ro] ;load sign-extended 16bit Rd = HALFWORD[Rb+Ro]
9 Must be set (1) for this type of instructions
8-6 Ro - Offset Register (R0..R7)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
| THUMB.9: load/store with immediate offset |
Bit Expl.
15-13 Must be 011b for this type of instructions
12-11 Opcode (0-3)
0: STR Rd,[Rb,#nn] ;store 32bit data WORD[Rb+nn] = Rd
1: LDR Rd,[Rb,#nn] ;load 32bit data Rd = WORD[Rb+nn]
2: STRB Rd,[Rb,#nn] ;store 8bit data BYTE[Rb+nn] = Rd
3: LDRB Rd,[Rb,#nn] ;load 8bit data Rd = BYTE[Rb+nn]
10-6 nn - Unsigned Offset (0-31 for BYTE, 0-124 for WORD)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
| THUMB.10: load/store halfword |
Bit Expl.
15-12 Must be 1000b for this type of instructions
11 Opcode (0-1)
0: STRH Rd,[Rb,#nn] ;store 16bit data HALFWORD[Rb+nn] = Rd
1: LDRH Rd,[Rb,#nn] ;load 16bit data Rd = HALFWORD[Rb+nn]
10-6 nn - Unsigned Offset (0-62, step 2)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
| THUMB.11: load/store SP-relative |
Bit Expl.
15-12 Must be 1001b for this type of instructions
11 Opcode (0-1)
0: STR Rd,[SP,#nn] ;store 32bit data WORD[SP+nn] = Rd
1: LDR Rd,[SP,#nn] ;load 32bit data Rd = WORD[SP+nn]
10-8 Rd - Source/Destination Register (R0..R7)
7-0 nn - Unsigned Offset (0-1020, step 4)
|
| THUMB.12: get relative address |
Bit Expl.
15-12 Must be 1010b for this type of instructions
11 Opcode/Source Register (0-1)
0: ADD Rd,PC,#nn ;Rd = (($+4) AND NOT 2) + nn
1: ADD Rd,SP,#nn ;Rd = SP + nn
10-8 Rd - Destination Register (R0..R7)
7-0 nn - Unsigned Offset (0-1020, step 4)
|
| THUMB.13: add offset to stack pointer |
Bit Expl.
15-8 Must be 10110000b for this type of instructions
7 Opcode/Sign
0: ADD SP,#nn ;SP = SP + nn
1: ADD SP,#-nn ;SP = SP - nn
6-0 nn - Unsigned Offset (0-508, step 4)
|
| THUMB.14: push/pop registers |
Bit Expl.
15-12 Must be 1011b for this type of instructions
11 Opcode (0-1)
0: PUSH {Rlist}{LR} ;store in memory, decrements SP (R13)
1: POP {Rlist}{PC} ;load from memory, increments SP (R13)
10-9 Must be 10b for this type of instructions
8 PC/LR Bit (0-1)
0: No
1: PUSH LR (R14), or POP PC (R15)
7-0 Rlist - List of Registers (R7..R0)
|
PUSH {R0-R3} ;push R0,R1,R2,R3
PUSH {R0,R2,LR} ;push R0,R2,LR
POP {R4,R7} ;pop R4,R7
POP {R2-R4,PC} ;pop R2,R3,R4,PC
|
| THUMB.15: multiple load/store |
Bit Expl.
15-12 Must be 1100b for this type of instructions
11 Opcode (0-1)
0: STMIA Rb!,{Rlist} ;store in memory, increments Rb
1: LDMIA Rb!,{Rlist} ;load from memory, increments Rb
10-8 Rb - Base register (modified) (R0-R7)
7-0 Rlist - List of Registers (R7..R0)
|
STMIA R7!,{R0-R2} ;store R0,R1,R2
LDMIA R0!,{R1,R5} ;store R1,R5
|
| THUMB.16: conditional branch |
Bit Expl.
15-12 Must be 1101b for this type of instructions
11-8 Opcode/Condition (0-Fh)
0: BEQ label ;Z=1 ;equal (zero)
1: BNE label ;Z=0 ;not equal (nonzero)
2: BCS label ;C=1 ;unsigned higher or same (carry set)
3: BCC label ;C=0 ;unsigned lower (carry cleared)
4: BMI label ;N=1 ;negative (minus)
5: BPL label ;N=0 ;positive or zero (plus)
6: BVS label ;V=1 ;overflow (V set)
7: BVC label ;V=0 ;no overflow (V cleared)
8: BHI label ;C=1 and Z=0 ;unsigned higher
9: BLS label ;C=0 or Z=1 ;unsigned lower or same
A: BGE label ;N=V ;greater or equal
B: BLT label ;N<>V ;less than
C: BGT label ;Z=0 and N=V ;greater than
D: BLE label ;Z=1 or N<>V ;less or equal
E: Undefined, should not be used
F: Reserved for SWI instruction (see SWI opcode)
7-0 Signed Offset, step 2 ($+4-256..$+4+254)
|
2S+1N if condition true (jump executed) 1S if condition false |
| THUMB.17: software interrupt and breakpoint |
Bit Expl.
15-8 Opcode
11011111b: SWI nn ;software interrupt
10111110b: BKPT nn ;software breakpoint (ARMv5 and up)
7-0 nn - Comment Immediate (0-255)
|
R14_svc=PC+2 R14_abt=PC+4 ;save return address SPSR_svc=CPSR SPSR_abt=CPSR ;save CPSR flags CPSR=<changed> CPSR=<changed> ;Enter svc/abt, ARM state, IRQs disabled PC=VVVV0008h PC=VVVV000Ch ;jump to SWI/PrefetchAbort vector address |
MOVS PC,R14 |
| THUMB.18: unconditional branch |
Bit Expl.
15-11 Must be 11100b for this type of instructions
N/A Opcode (fixed)
B label ;branch (jump)
10-0 Signed Offset, step 2 ($+4-2048..$+4+2046)
|
| THUMB.19: long branch with link |
Bit Expl. 15-11 Must be 11110b for BL/BLX type of instructions 10-0 nn - Upper 11 bits of Target Address |
Bit Expl.
15-11 Opcode
11111b: BL label ;branch long with link
11101b: BLX label ;branch long with link switch to ARM mode (ARM9)
10-0 nn - Lower 11 bits of Target Address (BLX: Bit0 Must be zero)
|
| ARM Instruction Set |
| ARM Instruction Summary |
Instruction Cycles Flags Format Expl.
MOV{cond}{S} Rd,Op2 1S+x+y NZc- 5 Rd = Op2
MVN{cond}{S} Rd,Op2 1S+x+y NZc- 5 Rd = NOT Op2
AND{cond}{S} Rd,Rn,Op2 1S+x+y NZc- 5 Rd = Rn AND Op2
TST{cond}{P} Rn,Op2 1S+x NZc- 5 Void = Rn AND Op2
EOR{cond}{S} Rd,Rn,Op2 1S+x+y NZc- 5 Rd = Rn XOR Op2
TEQ{cond}{P} Rn,Op2 1S+x NZc- 5 Void = Rn XOR Op2
ORR{cond}{S} Rd,Rn,Op2 1S+x+y NZc- 5 Rd = Rn OR Op2
BIC{cond}{S} Rd,Rn,Op2 1S+x+y NZc- 5 Rd = Rn AND NOT Op2
|
Instruction Cycles Flags Format Expl.
ADD{cond}{S} Rd,Rn,Op2 1S+x+y NZCV 5 Rd = Rn+Op2
ADC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV 5 Rd = Rn+Op2+Cy
SUB{cond}{S} Rd,Rn,Op2 1S+x+y NZCV 5 Rd = Rn-Op2
SBC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV 5 Rd = Rn-Op2+Cy-1
RSB{cond}{S} Rd,Rn,Op2 1S+x+y NZCV 5 Rd = Op2-Rn
RSC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV 5 Rd = Op2-Rn+Cy-1
CMP{cond}{P} Rn,Op2 1S+x NZCV 5 Void = Rn-Op2
CMN{cond}{P} Rn,Op2 1S+x NZCV 5 Void = Rn+Op2
|
Instruction Cycles Flags Format Expl.
MUL{cond}{S} Rd,Rm,Rs 1S+mI NZx- 7 Rd = Rm*Rs
MLA{cond}{S} Rd,Rm,Rs,Rn 1S+mI+1I NZx- 7 Rd = Rm*Rs+Rn
UMULL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+1I NZx- 7 RdHiLo = Rm*Rs
UMLAL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+2I NZx- 7 RdHiLo = Rm*Rs+RdHiLo
SMULL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+1I NZx- 7 RdHiLo = Rm*Rs
SMLAL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+2I NZx- 7 RdHiLo = Rm*Rs+RdHiLo
SMLAxy{cond} Rd,Rm,Rs,Rn ---q 7 Rd=HalfRm*HalfRs+Rn ARMv5TE(xP)
SMLAWy{cond} Rd,Rm,Rs,Rn ---q 7 Rd=(Rm*HalfRs)/10000h+Rn ARMv5TE(xP)
SMULWy{cond} Rd,Rm,Rs ---- 7 Rd=(Rm*HalfRs)/10000h ARMv5TE(xP)
SMLALxy{cond} RdLo,RdHi,Rm,Rs ---- 7 RdHiLo=RdHiLo+HalfRm*HalfRs ARMv5TE(xP)
SMULxy{cond} Rd,Rm,Rs ---- 7 Rd=HalfRm*HalfRs ARMv5TE(xP)
|
Instruction Cycles Flags Format Expl.
LDR{cond}{B}{T} Rd,<Address> 1S+1N+1I +y ---- 9 Rd=[Rn+/-<offset>]
LDR{cond}H Rd,<Address> 1S+1N+1I +y ---- 10 Load Unsigned halfword
LDR{cond}D Rd,<Address> ---- 10 Load Dword ARMv5TE
LDR{cond}SB Rd,<Address> 1S+1N+1I +y ---- 10 Load Signed byte
LDR{cond}SH Rd,<Address> 1S+1N+1I +y ---- 10 Load Signed halfword
LDM{cond}{amod} Rn{!},<Rlist>{^} nS+1N+1I +y ---- 11 Load Multiple
STR{cond}{B}{T} Rd,<Address> 2N ---- 9 [Rn+/-<offset>]=Rd
STR{cond}H Rd,<Address> 2N ---- 10 Store halfword
STR{cond}D Rd,<Address> ---- 10 Store Dword ARMv5TE
STM{cond}{amod} Rn{!},<Rlist>{^} (n-1)S+2N ---- 11 Store Multiple
SWP{cond}{B} Rd,Rm,[Rn] 1S+2N+1I ---- 12 Rd=[Rn], [Rn]=Rm
PLD <Address> 1S ---- 9 Prepare Cache ARMv5TE
|
Instruction Cycles Flags Format Expl.
B{cond} label 2S+1N ---- 4 PC=$+8+/-32M
BL{cond} label 2S+1N ---- 4 PC=$+8+/-32M, LR=$+4
BX{cond} Rn 2S+1N ---- 3 PC=Rn, T=Rn.0 (THUMB/ARM)
BLX{cond} Rn 2S+1N ---- 3 PC=Rn, T=Rn.0, LR=PC+4, ARM9
BLX label 2S+1N ---- 3 PC=PC+$+/-32M, LR=$+4, T=1, ARM9
MRS{cond} Rd,Psr 1S ---- 6 Rd=Psr
MSR{cond} Psr{_field},Op 1S (psr) 6 Psr[field]=Op
SWI{cond} Imm24bit 2S+1N ---- 13 PC=8, ARM Svc mode, LR=$+4
BKPT Imm16bit ??? ---- ??? PC=C, ARM Abt mode, LR=$+4 ARM9
The Undefined Instruction 2S+1I+1N ---- 17 PC=4, ARM Und mode, LR=$+4
cond=false 1S ---- .. Any opcode with condition=false
NOP 1S ---- 5 R0=R0
|
CLZ{cond} Rd,Rm ??? ---- ??? Count Leading Zeros ARMv5
QADD{cond} Rd,Rm,Rn ---q Rd=Rm+Rn ARMv5TE(xP)
QSUB{cond} Rd,Rm,Rn ---q Rd=Rm-Rn ARMv5TE(xP)
QDADD{cond} Rd,Rm,Rn ---q Rd=Rm+Rn*2 ARMv5TE(xP)
QDSUB{cond} Rd,Rm,Rn ---q Rd=Rm-Rn*2 ARMv5TE(xP)
|
Instruction Cycles Flags Format Expl.
CDP{cond} Pn,<cpopc>,Cd,Cn,Cm{,<cp>} 1S+bI ---- 14 Coprocessor specific
STC{cond}{L} Pn,Cd,<Address> (n-1)S+2N+bI 15 [address] = CRd
LDC{cond}{L} Pn,Cd,<Address> (n-1)S+2N+bI 15 CRd = [address]
MCR{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} 1S+bI+1C 16 CRn = Rn {<op> CRm}
MRC{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} 1S+(b+1)I+1C 16 Rn = CRn {<op> CRm}
CDP2,STC2,LDC2,MCR2,MRC2 - ARMv5 Extensions similar above, without {cond}
MCRR{cond} Pn,<cpopc>,Rd,Rn,Cm ;write Rd,Rn to coproc ARMv5TE
MRRC{cond} Pn,<cpopc>,Rd,Rn,Cm ;read Rd,Rn from coproc ARMv5TE
|
|..3 ..................2 ..................1 ..................0| |1_0_9_8_7_6_5_4_3_2_1_0_9_8_7_6_5_4_3_2_1_0_9_8_7_6_5_4_3_2_1_0| |_Cond__|0_0_0|___Op__|S|__Rn___|__Rd___|__Shift__|Typ|0|__Rm___| DataProc |_Cond__|0_0_0|___Op__|S|__Rn___|__Rd___|__Rs___|0|Typ|1|__Rm___| DataProc |_Cond__|0_0_1|___Op__|S|__Rn___|__Rd___|_Shift_|___Immediate___| DataProc |_Cond__|0_0_1_1_0|P|1|0|_Field_|__Rd___|_Shift_|___Immediate___| PSR Imm |_Cond__|0_0_0_1_0|P|L|0|_Field_|__Rd___|0_0_0_0|0_0_0_0|__Rm___| PSR Reg |_Cond__|0_0_0_1_0_0_1_0_1_1_1_1_1_1_1_1_1_1_1_1|0_0|L|1|__Rn___| BX,BLX |1_1_1_0|0_0_0_1_0_0_1_0|_____immediate_________|0_1_1_1|_immed_| BKPT ARM9 |_Cond__|0_0_0_1_0_1_1_0_1_1_1_1|__Rd___|1_1_1_1|0_0_0_1|__Rm___| CLZ ARM9 |_Cond__|0_0_0_1_0|Op_|0|__Rn___|__Rd___|0_0_0_0|0_1_0_1|__Rm___| QALU ARM9 |_Cond__|0_0_0_0_0_0|A|S|__Rd___|__Rn___|__Rs___|1_0_0_1|__Rm___| Multiply |_Cond__|0_0_0_0_1|U|A|S|_RdHi__|_RdLo__|__Rs___|1_0_0_1|__Rm___| MulLong |_Cond__|0_0_0_1_0|Op_|0|Rd/RdHi|Rn/RdLo|__Rs___|1|y|x|0|__Rm___| MulHalf |_Cond__|0_0_0_1_0|B|0_0|__Rn___|__Rd___|0_0_0_0|1_0_0_1|__Rm___| TransSwp12 |_Cond__|0_0_0|P|U|0|W|L|__Rn___|__Rd___|0_0_0_0|1|S|H|1|__Rm___| TransReg10 |_Cond__|0_0_0|P|U|1|W|L|__Rn___|__Rd___|OffsetH|1|S|H|1|OffsetL| TransImm10 |_Cond__|0_1_0|P|U|B|W|L|__Rn___|__Rd___|_________Offset________| TransImm9 |_Cond__|0_1_1|P|U|B|W|L|__Rn___|__Rd___|__Shift__|Typ|0|__Rm___| TransReg9 |_Cond__|0_1_1|________________xxx____________________|1|__xxx__| Undefined |_Cond__|1_0_0|P|U|S|W|L|__Rn___|__________Register_List________| BlockTrans |_Cond__|1_0_1|L|___________________Offset______________________| B,BL,BLX |_Cond__|1_1_0|P|U|N|W|L|__Rn___|__CRd__|__CP#__|____Offset_____| CoDataTrans |_Cond__|1_1_0_0_0_1_0|L|__Rn___|__Rd___|__CP#__|_CPopc_|__CRm__| CoRR ARM9 |_Cond__|1_1_1_0|_CPopc_|__CRn__|__CRd__|__CP#__|_CP__|0|__CRm__| CoDataOp |_Cond__|1_1_1_0|CPopc|L|__CRn__|__Rd___|__CP#__|_CP__|1|__CRm__| CoRegTrans |_Cond__|1_1_1_1|_____________Ignored_by_Processor______________| SWI |
| ARM Condition Field |
Code Suffix Flags Meaning 0: EQ Z=1 equal (zero) 1: NE Z=0 not equal (nonzero) 2: CS C=1 unsigned higher or same (carry set) 3: CC C=0 unsigned lower (carry cleared) 4: MI N=1 negative (minus) 5: PL N=0 positive or zero (plus) 6: VS V=1 overflow (V set) 7: VC V=0 no overflow (V cleared) 8: HI C=1 and Z=0 unsigned higher 9: LS C=0 or Z=1 unsigned lower or same A: GE N=V greater or equal B: LT N<>V less than C: GT Z=0 and N=V greater than D: LE Z=1 or N<>V less or equal E: AL - always F: NV - never (ARMv1,v2 only) (Reserved ARMv3 and up) |
| ARM.3: Branch and Exchange (BX, BLX) |
Bit Expl.
31-28 Condition
27-8 Must be "0001.0010.1111.1111.1111" for this instruction
7-4 Opcode
0001b: BX{cond} Rn ;PC=Rn, T=Rn.0 (ARMv4T and ARMv5 and up)
0011b: BLX{cond} Rn ;PC=Rn, T=Rn.0, LR=PC+4 (ARMv5 and up)
3-0 Rn - Operand Register (R0-R14)
|
| ARM.4: Branch and Branch with Link (B, BL, BLX) |
Bit Expl.
31-28 Condition (must be 1111b for BLX)
27-25 Must be "101" for this instruction
24 Opcode (0-1) (or Halfword Offset for BLX)
0: B{cond} label ;branch PC=PC+8+nn*4
1: BL{cond} label ;branch/link PC=PC+8+nn*4, LR=PC+4
H: BLX label ;ARM9 ;branch/link/thumb PC=PC+8+nn*4+H*2, LR=PC+4, T=1
23-0 nn - Signed Offset, step 4 (-32M..+32M in steps of 4)
|
| ARM.5: Data Processing |
Bit Expl.
31-28 Condition
27-26 Must be 00b for this instruction
25 I - Immediate 2nd Operand Flag (0=Register, 1=Immediate)
24-21 Opcode (0-Fh) ;*=Arithmetic, otherwise Logical
0: AND{cond}{S} Rd,Rn,Op2 ;AND logical Rd = Rn AND Op2
1: EOR{cond}{S} Rd,Rn,Op2 ;XOR logical Rd = Rn XOR Op2
2: SUB{cond}{S} Rd,Rn,Op2 ;* ;subtract Rd = Rn-Op2
3: RSB{cond}{S} Rd,Rn,Op2 ;* ;subtract reversed Rd = Op2-Rn
4: ADD{cond}{S} Rd,Rn,Op2 ;* ;add Rd = Rn+Op2
5: ADC{cond}{S} Rd,Rn,Op2 ;* ;add with carry Rd = Rn+Op2+Cy
6: SBC{cond}{S} Rd,Rn,Op2 ;* ;sub with carry Rd = Rn-Op2+Cy-1
7: RSC{cond}{S} Rd,Rn,Op2 ;* ;sub cy. reversed Rd = Op2-Rn+Cy-1
8: TST{cond}{P} Rn,Op2 ;test Void = Rn AND Op2
9: TEQ{cond}{P} Rn,Op2 ;test exclusive Void = Rn XOR Op2
A: CMP{cond}{P} Rn,Op2 ;* ;compare Void = Rn-Op2
B: CMN{cond}{P} Rn,Op2 ;* ;compare neg. Void = Rn+Op2
C: ORR{cond}{S} Rd,Rn,Op2 ;OR logical Rd = Rn OR Op2
D: MOV{cond}{S} Rd,Op2 ;move Rd = Op2
E: BIC{cond}{S} Rd,Rn,Op2 ;bit clear Rd = Rn AND NOT Op2
F: MVN{cond}{S} Rd,Op2 ;not Rd = NOT Op2
20 S - Set Condition Codes (0=No, 1=Yes) (Must be 1 for opcode 8-B)
19-16 Rn - 1st Operand Register (R0..R15) (including PC=R15)
Must be 0000b for MOV/MVN.
15-12 Rd - Destination Register (R0..R15) (including PC=R15)
Must be 0000b {or 1111b) for CMP/CMN/TST/TEQ{P}.
When above Bit 25 I=0 (Register as 2nd Operand)
When below Bit 4 R=0 - Shift by Immediate
11-7 Is - Shift amount (1-31, 0=Special/See below)
When below Bit 4 R=1 - Shift by Register
11-8 Rs - Shift register (R0-R14) - only lower 8bit 0-255 used
7 Reserved, must be zero (otherwise multiply or undefined opcode)
6-5 Shift Type (0=LSL, 1=LSR, 2=ASR, 3=ROR)
4 R - Shift by Register Flag (0=Immediate, 1=Register)
3-0 Rm - 2nd Operand Register (R0..R15) (including PC=R15)
When above Bit 25 I=1 (Immediate as 2nd Operand)
11-8 Is - ROR-Shift applied to nn (0-30, in steps of 2)
7-0 nn - 2nd Operand Unsigned 8bit Immediate
|
V=not affected C=carryflag of shift operation (not affected if LSL#0 or Rs=00h) Z=zeroflag of result N=signflag of result (result bit 31) |
V=overflowflag of result C=carryflag of result Z=zeroflag of result N=signflag of result (result bit 31) |
R15=result ;modify PSR bits in R15, ARMv2 and below only. In user mode only N,Z,C,V bits of R15 can be changed. In other modes additionally I,F,M1,M0 can be changed. The PC bits in R15 are left unchanged in all modes. |
CPSR = SPSR_<current mode> PC = result For example: MOVS PC,R14 ;return from SWI (PC=R14_svc, CPSR=SPSR_svc). |
| ARM.6: PSR Transfer (MRS, MSR) |
Bit Expl.
31-28 Condition
27-26 Must be 00b for this instruction
25 I - Immediate Operand Flag (0=Register, 1=Immediate) (Zero for MRS)
24-23 Must be 10b for this instruction
22 Psr - Source/Destination PSR (0=CPSR, 1=SPSR_<current mode>)
21 Opcode
0: MRS{cond} Rd,Psr ;Rd = Psr
1: MSR{cond} Psr{_field},Op ;Psr[field] = Op
20 Must be 0b for this instruction (otherwise TST,TEQ,CMP,CMN)
For MRS:
19-16 Must be 1111b for this instruction (otherwise SWP)
15-12 Rd - Destination Register (R0-R14)
11-0 Not used, must be zero.
For MSR:
19 f write to flags field Bit 31-24 (aka _flg)
18 s write to status field Bit 23-16 (reserved, don't change)
17 x write to extension field Bit 15-8 (reserved, don't change)
16 c write to control field Bit 7-0 (aka _ctl)
15-12 Not used, must be 1111b.
For MSR Psr,Rm (I=0)
11-4 Not used, must be zero. (otherwise BX)
3-0 Rm - Source Register <op> (R0-R14)
For MSR Psr,Imm (I=1)
11-8 Shift applied to Imm (ROR in steps of two 0-30)
7-0 Imm - Unsigned 8bit Immediate
In source code, a 32bit immediate should be specified as operand.
The assembler should then convert that into a shifted 8bit value.
|
| ARM.7: Multiply and Multiply-Accumulate (MUL,MLA) |
Bit Expl.
31-28 Condition
27-25 Must be 000b for this instruction
24-21 Opcode
0000b: MUL{cond}{S} Rd,Rm,Rs ;multiply Rd = Rm*Rs
0001b: MLA{cond}{S} Rd,Rm,Rs,Rn ;mul.& accumulate Rd = Rm*Rs+Rn
0100b: UMULL{cond}{S} RdLo,RdHi,Rm,Rs ;multiply RdHiLo=Rm*Rs
0101b: UMLAL{cond}{S} RdLo,RdHi,Rm,Rs ;mul.& acc. RdHiLo=Rm*Rs+RdHiLo
0110b: SMULL{cond}{S} RdLo,RdHi,Rm,Rs ;sign.mul. RdHiLo=Rm*Rs
0111b: SMLAL{cond}{S} RdLo,RdHi,Rm,Rs ;sign.m&a. RdHiLo=Rm*Rs+RdHiLo
1000b: SMLAxy{cond} Rd,Rm,Rs,Rn ;Rd=HalfRm*HalfRs+Rn
1001b: SMLAWy{cond} Rd,Rm,Rs,Rn ;Rd=(Rm*HalfRs)/10000h+Rn
1001b: SMULWy{cond} Rd,Rm,Rs ;Rd=(Rm*HalfRs)/10000h
1010b: SMLALxy{cond} RdLo,RdHi,Rm,Rs ;RdHiLo=RdHiLo+HalfRm*HalfRs
1011b: SMULxy{cond} Rd,Rm,Rs ;Rd=HalfRm*HalfRs
20 S - Set Condition Codes (0=No, 1=Yes) (Must be 0 for Halfword mul)
19-16 Rd (or RdHi) - Destination Register (R0-R14)
15-12 Rn (or RdLo) - Accumulate Register (R0-R14) (Set to 0000b if unused)
11-8 Rs - Operand Register (R0-R14)
For Non-Halfword Multiplies
7-4 Must be 1001b for these instructions
For Halfword Multiplies
7 Must be 1 for these instructions
6 y - Rs Top/Bottom flag (0=B=Lower 16bit, 1=T=Upper 16bit)
5 x - Rm Top/Bottom flag (as above), or 0 for SMLAW, or 1 for SMULW
4 Must be 0 for these instructions
3-0 Rm - Operand Register (R0-R14)
|
| ARM.9: Single Data Transfer (LDR, STR, PLD) |
Bit Expl.
31-28 Condition (Must be 1111b for PLD)
27-26 Must be 01b for this instruction
25 I - Immediate Offset Flag (0=Immediate, 1=Shifted Register)
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 B - Byte/Word bit (0=transfer word quantity, 1=transfer byte quantity)
When above Bit 24 P=0 (Post-indexing, write-back is ALWAYS enabled):
21 T - Memory Management (0=Normal, 1=Force non-privileged access)
When above Bit 24 P=1 (Pre-indexing, write-back is optional):
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
0: STR{cond}{B}{T} Rd,<Address> ;[Rn+/-<offset>]=Rd
1: LDR{cond}{B}{T} Rd,<Address> ;Rd=[Rn+/-<offset>]
(1: PLD <Address> ;Prepare Cache for Load, see notes below)
Whereas, B=Byte, T=Force User Mode (only for POST-Indexing)
19-16 Rn - Base register (R0..R15) (including R15=PC+8)
15-12 Rd - Source/Destination Register (R0..R15) (including R15=PC+12)
When above I=0 (Immediate as Offset)
11-0 Unsigned 12bit Immediate Offset (0-4095, steps of 1)
When above I=1 (Register shifted by Immediate as Offset)
11-7 Is - Shift amount (1-31, 0=Special/See below)
6-5 Shift Type (0=LSL, 1=LSR, 2=ASR, 3=ROR)
4 Must be 0 (Reserved, see ARM.17, The Undefined Instruction)
3-0 Rm - Offset Register (R0..R14) (not including PC=R15)
|
<expression> ;an immediate used as address ;*** restriction: must be located in range PC+/-4095+8, if so, ;*** assembler will calculate offset and use PC (R15) as base. |
[Rn] ;offset = zero
[Rn, <#{+/-}expression>]{!} ;offset = immediate
[Rn, {+/-}Rm{,<shift>} ]{!} ;offset = register shifted by immediate
|
[Rn], <#{+/-}expression> ;offset = immediate
[Rn], {+/-}Rm{,<shift>} ;offset = register shifted by immediate
|
<shift> immediate shift such like LSL#4, ROR#2, etc. (see ARM.5).
{!} exclamation mark ("!") indicates write-back (Rn will be updated).
|
| ARM.10: Halfword, Doubleword, and Signed Data Transfer |
Bit Expl.
31-28 Condition
27-25 Must be 000b for this instruction
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 I - Immediate Offset Flag (0=Register Offset, 1=Immediate Offset)
When above Bit 24 P=0 (Post-indexing, write-back is ALWAYS enabled):
21 Not used, must be zero (0)
When above Bit 24 P=1 (Pre-indexing, write-back is optional):
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
19-16 Rn - Base register (R0-R15) (Including R15=PC+8)
15-12 Rd - Source/Destination Register (R0-R15) (Including R15=PC+12)
11-8 When above Bit 22 I=0 (Register as Offset):
Not used. Must be 0000b
When above Bit 22 I=1 (immediate as Offset):
Immediate Offset (upper 4bits)
7 Reserved, must be set (1)
6-5 Opcode (0-3)
When Bit 20 L=0 (Store) (and Doubleword Load/Store):
0: Reserved for SWP instruction (see ARM.12 Single Data Swap)
1: STR{cond}H Rd,<Address> ;Store halfword [a]=Rd
2: LDR{cond}D Rd,<Address> ;Load Doubleword R(d)=[a], R(d+1)=[a+4]
3: STR{cond}D Rd,<Address> ;Store Doubleword [a]=R(d), [a+4]=R(d+1)
When Bit 20 L=1 (Load):
0: Reserved.
1: LDR{cond}H Rd,<Address> ;Load Unsigned halfword (zero-extended)
2: LDR{cond}SB Rd,<Address> ;Load Signed byte (sign extended)
3: LDR{cond}SH Rd,<Address> ;Load Signed halfword (sign extended)
4 Reserved, must be set (1)
3-0 When above Bit 22 I=0:
Rm - Offset Register (R0-R14) (not including R15)
When above Bit 22 I=1:
Immediate Offset (lower 4bits) (0-255, together with upper bits)
|
<expression> ;an immediate used as address ;*** restriction: must be located in range PC+/-255+8, if so, ;*** assembler will calculate offset and use PC (R15) as base. |
[Rn] ;offset = zero
[Rn, <#{+/-}expression>]{!} ;offset = immediate
[Rn, {+/-}Rm]{!} ;offset = register
|
[Rn], <#{+/-}expression> ;offset = immediate
[Rn], {+/-}Rm ;offset = register
|
{!} exclamation mark ("!") indicates write-back (Rn will be updated).
|
| ARM.11: Block Data Transfer (LDM,STM) |
Bit Expl.
31-28 Condition
27-25 Must be 100b for this instruction
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 S - PSR & force user bit (0=No, 1=load PSR or force user mode)
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
0: STM{cond}{amod} Rn{!},<Rlist>{^} ;Store (Push)
1: LDM{cond}{amod} Rn{!},<Rlist>{^} ;Load (Pop)
Whereas, {!}=Write-Back (W), and {^}=PSR/User Mode (S)
19-16 Rn - Base register (R0-R14) (not including R15)
15-0 Rlist - Register List
(Above 'offset' is meant to be the number of words specified in Rlist.)
|
IB increment before ;P=1, U=1 IA increment after ;P=0, U=1 DB decrement before ;P=1, U=0 DA decrement after ;P=0, U=0 |
ED empty stack, descending ;LDM: P=1, U=1 ;STM: P=0, U=0 FD full stack, descending ; P=0, U=1 ; P=1, U=0 EA empty stack, ascending ; P=1, U=0 ; P=0, U=1 FA full stack, ascending ; P=0, U=0 ; P=1, U=1 |
STMFD=STMDB=PUSH STMED=STMDA STMFA=STMIB STMEA=STMIA LDMFD=LDMIA=POP LDMED=LDMIB LDMFA=LDMDA LDMEA=LDMDB |
PUSH/POP: full descending ;base register SP (R13) LDM/STM: increment after ;base register R0..R7 |
While R15 loaded, additionally: CPSR=SPSR_<current mode> |
Rlist is referring to User Bank Registers, R0-R15 (rather than register related to the current mode, such like R14_svc etc.) Base write-back should not be used for User bank transfer. ! When instruction is LDM: ! ! If the following instruction reads from a banked register, ! ! like R14_svc, then CPU might still read R14 instead. If ! ! necessary insert a dummy instruction such like MOV R0,R0. ! |
| ARM.12: Single Data Swap (SWP) |
Bit Expl.
31-28 Condition
27-23 Must be 00010b for this instruction
Opcode (fixed)
SWP{cond}{B} Rd,Rm,[Rn] ;Rd=[Rn], [Rn]=Rm
22 B - Byte/Word bit (0=swap word quantity, 1=swap byte quantity)
21-20 Must be 00b for this instruction
19-16 Rn - Base register (R0-R14)
15-12 Rd - Destination Register (R0-R14)
11-4 Must be 00001001b for this instruction
3-0 Rm - Source Register (R0-R14)
|
| ARM.13: Software Interrupt (SWI,BKPT) |
Bit Expl.
31-28 Condition (must be 1110b for BKPT, ie. Condition=always)
27-24 Opcode
1111b: SWI{cond} nn ;software interrupt
0001b: BKPT nn ;breakpoint (ARMv5 and up)
For SWI:
23-0 nn - Comment Field, ignored by processor (24bit value)
For BKPT:
23-20 Must be 0010b for BKPT
19-8 nn - upper 12bits of comment field, ignored by processor
7-4 Must be 0111b for BKPT
3-0 nn - lower 4bits of comment field, ignored by processor
|
R14_svc=PC+4 R14_abt=PC+4 ;save return address SPSR_svc=CPSR SPSR_abt=CPSR ;save CPSR flags CPSR=<changed> CPSR=<changed> ;Enter svc/abt, ARM state, IRQs disabled PC=VVVV0008h PC=VVVV000Ch ;jump to SWI/PrefetchAbort vector address |
MOVS PC,R14 |
| ARM.14: Coprocessor Data Operations (CDP) |
Bit Expl.
31-28 Condition (or 1111b for CDP2 opcode on ARMv5 and up)
27-24 Must be 1110b for this instruction
ARM-Opcode (fixed)
CDP{cond} Pn,<cpopc>,Cd,Cn,Cm{,<cp>}
CDP2 Pn,<cpopc>,Cd,Cn,Cm{,<cp>}
23-20 CP Opc - Coprocessor operation code (0-15)
19-16 Cn - Coprocessor operand Register (C0-C15)
15-12 Cd - Coprocessor destination Register (C0-C15)
11-8 Pn - Coprocessor number (P0-P15)
7-5 CP - Coprocessor information (0-7)
4 Reserved, must be zero (otherwise MCR/MRC opcode)
3-0 Cm - Coprocessor operand Register (C0-C15)
|
| ARM.15: Coprocessor Data Transfers (LDC,STC) |
Bit Expl.
31-28 Condition (or 1111b for LDC2/STC2 opcodes on ARMv5 and up)
27-25 Must be 110b for this instruction
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 N - Transfer length (0-1, interpretation depends on co-processor)
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 Opcode (0-1)
0: STC{cond}{L} Pn,Cd,<Address> ;Store to memory (from coprocessor)
0: STC2{L} Pn,Cd,<Address> ;Store to memory (from coprocessor)
1: LDC{cond}{L} Pn,Cd,<Address> ;Read from memory (to coprocessor)
1: LDC2{L} Pn,Cd,<Address> ;Read from memory (to coprocessor)
whereas {L} indicates long transfer (Bit 22: N=1)
19-16 Rn - ARM Base Register (R0-R15) (R15=PC+8)
15-12 Cd - Coprocessor src/dest Register (C0-C15)
11-8 Pn - Coprocessor number (P0-P15)
7-0 Offset - Unsigned Immediate, step 4 (0-1020, in steps of 4)
|
| ARM.16: Coprocessor Register Transfers (MRC, MCR) |
Bit Expl.
31-28 Condition (or 1111b for MRC2/MCR2 opcodes on ARMv5 and up)
27-24 Must be 1110b for this instruction
23-21 CP Opc - Coprocessor operation code (0-7)
20 ARM-Opcode (0-1)
0: MCR{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from ARM to CoPro
0: MCR2 Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from ARM to CoPro
1: MRC{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from CoPro to ARM
1: MRC2 Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from CoPro to ARM
19-16 Cn - Coprocessor source/dest. Register (C0-C15)
15-12 Rd - ARM source/destination Register (R0-R15)
11-8 Pn - Coprocessor number (P0-P15)
7-5 CP - Coprocessor information (0-7)
4 Reserved, must be one (1) (otherwise CDP opcode)
3-0 Cm - Coprocessor operand Register (C0-C15)
|
| ARM.X: Coprocessor Double-Register Transfer (MCRR,MRRC) |
Bit Expl.
31-28 Condition
27-21 Must be 1100010b for this instruction
20 L - Opcode (Load/Store)
0: MCRR{cond} Pn,opcode,Rd,Rn,Cm ;write Rd,Rn to coproc
1: MRRC{cond} Pn,opcode,Rd,Rn,Cm ;read Rd,Rn from coproc
19-16 Rn - Second source/dest register (R0-R14)
15-12 Rd - First source/dest register (R0-R14)
11-8 Pn - Coprocessor number (P0-P15)
7-4 CP Opc - Coprocessor operation code (0-15)
3-0 Cm - Coprocessor operand Register (C0-C15)
|
| ARM.17: Undefined Instruction |
Bit Expl. 31-28 Condition 27-25 Must be 011b for this instruction 24-5 Reserved for future use 4 Must be 1b for this instruction 3-0 Reserved for future use |
cond011xxxxxxxxxxxxxxxxxxxx1xxxx - reserved for future use (except below). cond01111111xxxxxxxxxxxx1111xxxx - free for user. |
| ARM.X: Count Leading Zeros |
Bit Expl.
31-28 Condition
27-16 Must be 0001.0110.1111b for this instruction
Opcode (fixed)
CLZ{cond} Rd,Rm ;Rd=Number of leading zeros in Rm
15-12 Rd - Destination Register (R0-R14)
11-4 Must be 1111.0001b for this instruction
3-0 Rm - Source Register (R0-R14)
|
| ARM.X: QADD/QSUB |
Bit Expl.
31-28 Condition
27-24 Must be 0001b for this instruction
23-20 Opcode
0000b: QADD{cond} Rd,Rm,Rn ;Rd=Rm+Rn
0010b: QSUB{cond} Rd,Rm,Rn ;Rd=Rm-Rn
0100b: QDADD{cond} Rd,Rm,Rn ;Rd=Rm+Rn*2 (doubled)
0110b: QDSUB{cond} Rd,Rm,Rn ;Rd=Rm-Rn*2 (doubled)
19-16 Rn - Second Source Register (R0-R14)
15-12 Rd - Destination Register (R0-R14)
11-4 Must be 00000101b for this instruction
3-0 Rm - First Source Register (R0-R14)
|
| ARM 26bit Memory Interface |
Bit Name Expl. 31-28 N,Z,C,V Flags (Sign, Zero, Carry, Overflow) 27-26 I,F Interrupt Disable bits (IRQ, FIQ) (1=Disable) 25-2 PC Program Counter, 24bit, Step 4 (64M range) 1-0 M1,M0 Mode (0=User, 1=FIQ, 2=IRQ, 3=Supervisor) |
R14_svc = PC ($+8, including old PSR bits) M1,M0 = 11b = supervisor mode, F=same, I=1, PC=14h |
| Pseudo Instructions and Directives |
nop mov r0,r0 ldr Rd,=Imm ldr Rd,[r15,disp] ;use .pool as parameter field) add Rd,=addr add/sub Rd,r15,disp adr Rd,addr add/sub Rd,r15,disp adrl Rd,addr two add/sub opcodes with disp=xx00h+00yyh mov Rd,Imm mvn Rd,NOT Imm ;or vice-versa and Rd,Rn,Imm bic Rd,Rn,NOT Imm ;or vice-versa cmp Rd,Rn,Imm cmn Rd,Rn,-Imm ;or vice-versa add Rd,Rn,Imm sub Rd,Rn,-Imm ;or vice-versa |
nop mov r8,r8 ldr Rd,=Imm ldr Rd,[r15,disp] ;use .pool as parameter field add Rd,=addr add Rd,r15,disp adr Rd,addr add Rd,r15,disp mov Rd,Rs add Rd,Rs,0 ;with Rd,Rs in range r0-r7 each |
org adr assume following code from this address on .gba indicate GBA program .nds indicate NDS program .fix fix GBA/NDS header checksum .ereader_create_bmp create GBA e-Reader dotcode .BMP file(s) (bitmaps) .ereader_create_raw create GBA e-Reader dotcode .RAW file (useless) .ereader_create_bin create GBA e-Reader dotcode .BIN file (smallest) .ereader_japan_plus japanese/plus (default is non-japanese) .ereader_japan_original japanese/original (with Z80-stub for GBA-code) .title 'Txt' defines a title (used for e-Reader dotcodes) .norewrite do not delete existing output file (keep following data in file) .data? following defines RAM data structure (assembled to nowhere) .code following is normal ROM code/data (assembled to ROM image) .include includes specified source code file (no nesting/error handling) .import imports specified binary file (optional parameters: ,begin,len) .radix nn changes default numeric format (nn=2,8,10,16 = bin/oct/dec/hex) .errif expr generates an error message if expression is nonzero .if expr assembles following code only if expression is nonzero .else invert previous .if condition .endif terminate .if/.ifdef/.ifndef .ifdef sym assemble following only if symbol is defined .ifndef sym assemble following only if symbol is not defined .align nn aligns to an address divisible-by-nn, inserts 00's .msg defines a no$gba debugmessage string, such like .msg 'Init Okay' .brk defines a no$gba source code break opcode l equ n l=n l: [cmd] l=$ (global label) @@l: [cmd] @@l=$ (local label, all locals are reset at next global label) end end of source code db ... define 8bit data (bytes) dw ... define 16bit data (halfwords) dd ... define 32bit data (words) defs nn define nn bytes space (zero-filled) ;... defines a comment (ignored by the assembler) // alias for CRLF, eg. allows <db 'Text',0 // dw addr> in one line |
align .align 4 code16 .thumb align nn .align nn .code 16 .thumb % nn defs nn code32 .arm .space nn defs nn .code 32 .arm ..ds nn defs nn ltorg .pool x=n x equ n .ltorg .pool .equ x,n x equ n ..ltorg .pool .define x n x equ n dcb db (8bit data) incbin .import defb db (8bit data) @@@... ;comment .byte db (8bit data) @ ... ;comment .ascii db (8bit string) @*... ;comment dcw dw (16bit data) @... ;comment defw dw (16bit data) .text .code .hword dw (16bit data) .bss .data? dcd dd (32bit data) .global (ignored) defd dd (32bit data) .extern (ignored) .long dd (32bit data) .thumb_func (ignored) .word dw/dd, don't use #directive .directive .end end .fill nn,1,0 defs nn |
hs cs ;condition higher or same = carry set asl lsl ;arithmetic shift left = logical shift left |
Type Normal Alias Decimal 85 #85 &d85 Hexadecimal 55h #55h 0x55 #0x55 $55 &h55 Octal 125o 0o125 &o125 Ascii 'U' "U" Binary 01010101b %01010101 0b01010101 &b01010101 Roman &rLXXXV (very useful for arrays of kings and chapters) |
Prio Operator Aliases 8 (,) brackets 7 +,- sign 6 *,/,MOD,SHL,SHR MUL,DIV,<<,>> 5 +,- operation 4 EQ,GE,GT,LE,LT,NE =,>=,>,<=,<,<>,==,!= 3 NOT 2 AND 1 OR,XOR EOR |
mov r0,0ffh ;no C64-style "#", and no C-style "0x" required
stmia [r7]!,r0,r4-r5 ;square [base] brackets, no fancy {rlist} brackets
mov r0,cpsr ;no confusing MSR and MRS (whatever which is which)
mov r0,p0,0,c0,c0,0 ;no confusing MCR and MRC (whatever which is which)
ldr r0,[score] ;allows to use clean brackets for relative addresses
push rlist ;alias for stmfd [r13]!,rlist (and same for pop/ldmfd)
label: ;label definitions recommended to use ":" colons
|
| ARM CP14 ICEbreaker Debug Communications Channel |
MRC{cond} P14,0,Rd,C0,C0,0 ;Read Debug Comms Control Register
MRC{cond} P14,0,Rd,C1,C0,0 ;Read Debug Comms Data Register
MRC{cond} P14,0,Rd,C2,C0,0 ;Read Debug Comms Status Register
MCR{cond} P14,0,Rd,C1,C0,0 ;Write Debug Comms Data Register
MCR{cond} P14,0,Rd,C2,C0,0 ;Write Debug Comms Status Register
|
| ARM CP15 System Control Coprocessor |
| ARM CP15 Overview |
MCR{cond} P15,0,Rd,Cn,Cm,<cp> ;move from ARM to CP15
MRC{cond} P15,0,Rd,Cn,Cm,<cp> ;move from CP15 to ARM
|
Register Expl. C0,C0,0 Main ID Register (R) C0,C0,1 Cache Type and Size (R) C0,C0,2 TCM Physical Size (R) C1,C0,0 Control Register (R/W, or R=Fixed) C2,C0,0 PU Cachability Bits for Data/Unified Protection Region C2,C0,1 PU Cachability Bits for Instruction Protection Region C3,C0,0 PU Write-Bufferability Bits for Data Protection Regions C5,C0,0 PU Access Permission Data/Unified Protection Region C5,C0,1 PU Access Permission Instruction Protection Region C5,C0,2 PU Extended Access Permission Data/Unified Protection Region C5,C0,3 PU Extended Access Permission Instruction Protection Region C6,C0..C7,0 PU Protection Unit Data/Unified Region 0..7 C6,C0..C7,1 PU Protection Unit Instruction Region 0..7 C7,Cm,Op2 Cache Commands and Halt Function (W) C9,C0,0 Cache Data Lockdown C9,C0,1 Cache Instruction Lockdown C9,C1,0 TCM Data TCM Base and Virtual Size C9,C1,1 TCM Instruction TCM Base and Virtual Size C13,Cm,Op2 Misc Process ID registers C15,Cm,Op2 Misc Implementation Defined and Test/Debug registers |
| ARM CP15 ID Codes |
12-15 ARM Era (0=Pre-ARM7, 7=ARM7, other=Post-ARM7) |
0-3 Revision Number
4-15 Primary Part Number (Bit12-15 must be other than 0 or 7)
(eg. 946h for ARM946)
16-19 Architecture (1=v4, 2=v4T, 3=v5, 4=v5T, 5=v5TE)
20-23 Variant Number
24-31 Implementor (41h=ARM, 44h=Digital Equipment Corp, 69h=Intel)
|
0-3 Revision Number 4-15 Primary Part Number (Bit12-15 must be 7) 16-22 Variant Number 23 Architecture (0=v3, 1=v4T) 24-31 Implementor (41h=ARM, 44h=Digital Equipment Corp, 69h=Intel) |
0-3 Revision Number 4-11 Processor ID LSBs (30h=ARM3/v2, 60h,61h,62=ARM600,610,620/v3) 12-31 Processor ID MSBs (fixed, 41560h) |
0-11 Instruction Cache (bits 0-1=len, 2=m, 3-5=assoc, 6-8=size, 9-11=zero)
12-23 Data Cache (bits 0-1=len, 2=m, 3-5=assoc, 6-8=size, 9-11=zero)
24 Separate Cache Flag (0=Unified, 1=Separate Data/Instruction Caches)
25-28 Cache Type (0,1,2,6,7=see below, other=reserved)
Type Method Cache cleaning Cache lock-down
0 Write-through Not needed Not supported
1 Write-back Read data block Not supported
2 Write-back Register 7 operations Not supported
6 Write-back Register 7 operations Format A
7 Write-back Register 7 operations Format B
29-31 Reserved (zero)
|
Cache Absent = (ASSOC=0 and M=1) ;in that case overriding below Cache Size = 200h+(100h*M) shl SIZE ;min 0.5Kbytes, max 96Kbytes Associativity = (1+(0.5*M)) shl ASSOC ;min 1-way, max 192-way Line Length = 8 shl LEN ;min 8 bytes, max 64 bytes |
0-1 Reserved (0) 2 ITCM Absent (0=Present, 1=Absent) 3-5 Reserved (0) 6-9 ITCM Size (Size = 512 SHL N) (or 0=None) 10-13 Reserved (0) 14 DTCM Absent (0=Present, 1=Absent) 15-17 Reserved (0) 18-21 DTCM Size (Size = 512 SHL N) (or 0=None) 22-31 Reserved (0) |
| ARM CP15 Control Register |
0 MMU/PU Enable (0=Disable, 1=Enable) (Fixed 0 if none) 1 Alignment Fault Check (0=Disable, 1=Enable) (Fixed 0/1 if none/always on) 2 Data/Unified Cache (0=Disable, 1=Enable) (Fixed 0/1 if none/always on) 3 Write Buffer (0=Disable, 1=Enable) (Fixed 0/1 if none/always on) 4 Exception Handling (0=26bit, 1=32bit) (Fixed 1 if always 32bit) 5 26bit-address faults (0=Enable, 1=Disable) (Fixed 1 if always 32bit) 6 Abort Model (pre v4) (0=Early, 1=Late Abort) (Fixed 1 if ARMv4 and up) 7 Endian (0=Little, 1=Big) (Fixed 0/1 if fixed) 8 System Protection bit (MMU-only) 9 ROM Protection bit (MMU-only) 10 Implementation defined 11 Branch Prediction (0=Disable, 1=Enable) 12 Instruction Cache (0=Disable, 1=Enable) (ignored if Unified cache) 13 Exception Vectors (0=00000000h, 1=FFFF0000h) 14 Cache Replacement (0=Normal/PseudoRandom, 1=Predictable/RoundRobin) 15 Pre-ARMv5 Mode (0=Normal, 1=Pre ARMv5; LDM/LDR/POP_PC.Bit0/Thumb) 16 DTCM Enable (0=Disable, 1=Enable) 17 DTCM Load Mode (0=R/W, 1=DTCM Write-only) 18 ITCM Enable (0=Disable, 1=Enable) 19 ITCM Load Mode (0=R/W, 1=ITCM Write-only) 20-31 Reserved (keep these bits unchanged) (usually zero) |
| ARM CP15 Memory Managment Unit (MMU) |
C2,Cm,Op2 MMU Translation Table Base C3,Cm,Op2 MMU Domain Access Control C5,Cm,Op2 MMU Fault Status C6,Cm,Op2 MMU Fault Address C8,Cm,Op2 MMU TLB Control C10,Cm,Op2 MMU TLB Lockdown |
| ARM CP15 Protection Unit (PU) |
0-7 Cachable (C) bits for region 0-7 8-31 Reserved/zero |
0-7 Bufferable (B) bits for region 0-7 8-31 Reserved/zero |
0-15 Access Permission (AP) bits for region 0-7 (Bits 0-1=AP0, 2-3=AP1, etc) 16-31 Reserved/zero |
0-31 Access Permission (AP) bits for region 0-7 (Bits 0-3=AP0, 4-7=AP1, etc) |
AP Privileged User 0 - - 1 R/W - 2 R/W R 3 R/W R/W 5 R - 6 R R |
0 Protection Region Enable (0=Disable, 1=Enable) 1-5 Protection Region Size (2 SHL X) ;min=(X=11)=4KB, max=(X=31)=4GB 6-11 Reserved/zero 12-31 Protection Region Base address (Addr = Y*4K; must be SIZE-aligned) |
| ARM CP15 Cache Control |
Cn,Cm,Op2 Rd ARM9 Command C7,C0,4 0 Yes Wait For Interrupt (Halt) C7,C5,0 0 Yes Invalidate Entire Instruction Cache C7,C5,1 VA Yes Invalidate Instruction Cache Line C7,C5,2 S/I - Invalidate Instruction Cache Line C7,C5,4 0 - Flush Prefetch Buffer C7,C5,6 0 - Flush Entire Branch Target Cache C7,C5,7 IMP? - Flush Branch Target Cache Entry C7,C6,0 0 Yes Invalidate Entire Data Cache C7,C6,1 VA Yes Invalidate Data Cache Line C7,C6,2 S/I - Invalidate Data Cache Line C7,C7,0 0 - Invalidate Entire Unified Cache C7,C7,1 VA - Invalidate Unified Cache Line C7,C7,2 S/I - Invalidate Unified Cache Line C7,C8,2 0 Yes Wait For Interrupt (Halt), alternately to C7,C0,4 C7,C10,1 VA Yes Clean Data Cache Line C7,C10,2 S/I Yes Clean Data Cache Line C7,C10,4 0 - Drain Write Buffer C7,C11,1 VA - Clean Unified Cache Line C7,C11,2 S/I - Clean Unified Cache Line C7,C13,1 VA Yes Prefetch Instruction Cache Line C7,C14,1 VA Yes Clean and Invalidate Data Cache Line C7,C14,2 S/I Yes Clean and Invalidate Data Cache Line C7,C15,1 VA - Clean and Invalidate Unified Cache Line C7,C15,2 S/I - Clean and Invalidate Unified Cache Line |
0 Not used, should be zero VA Virtual Address S/I Set/index; Bit 31..(32-A) = Index, Bit (L+S-1)..L = Set ? |
0..(31-W) Reserved/zero (32-W)..31 Lockdown Block Index |
0..(W-1) Lockdown Block Index W..30 Reserved/zero 31 L |
| ARM CP15 Tightly Coupled Memory (TCM) |
0 Reserved (0) 1-5 Virtual Size (Size = 512 SHL N) ;min=(N=3)=4KB, max=(N=23)=4GB 6-11 Reserved (0) 12-31 Region Base (Base = X SHL 12) ;Base must be Size-aligned |
| ARM CP15 Misc |
0-24 Reserved/zero 25-31 Process ID (PID) (0-127) (0=Disable) |
IF addr<32M then addr=addr+PID*32M Respectively, with PID=0, the address remains unchanged (FCSE disabled). |
1. CPU outputs a virtual address (VA) 2. FCSE adjusts the VA to a modified virtual address (MVA) 3. Cache hits determined by examining the MVA, continue below if no hit 4. MMU translates MVA to physical address (PA) (if no MMU present: PA=MVA) 5. Memory access occurs at PA |
0-31 Process ID |
0-15 Data Control (see below) 16-31 Instruction Control (see below) |
0 Start bit (Write: 1=Start) (Read: 1=Busy) 1 Pause bit (1=Pause) 2 Enable bit (1=Enable) 3 Fail Flag (1=Error) (Read Only) 4 Complete Flag (1=Ready) (Read Only) 5-15 Size (2^(N+2) bytes) (min=N=1=8bytes, max=N=24=64MB) |
0-31 Word-aligned Destination Address within Memory Block (eg. within ITCM) |
0-31 Fillvalue for BIST |
0-8 Reserved (zero) 9 Disable Instruction Cache Linefill 10 Disable Data Cache Linefill 11 Disable Instruction Cache Streaming 12 Disable Data Cache Streaming 13-31 Reserved (zero/unpredictable) |
0..1 Reserved (zero) 2..4 Word Address 5..N Index N+1..29 Reserved (zero) 30..31 Segment |
0..1 Set 2..3 Dirty Bits 4 Valid 5..N Index N+1..31 TAG Address |
| CPU Instruction Cycle Times |
Instruction Cycles Additional
---------------------------------------------------------------------
Data Processing 1S +1S+1N if R15 loaded, +1I if SHIFT(Rs)
MSR,MRS 1S
LDR 1S+1N+1I +1S+1N if R15 loaded
STR 2N
LDM nS+1N+1I +1S+1N if R15 loaded
STM (n-1)S+2N
SWP 1S+2N+1I
BL (THUMB) 3S+1N
B,BL 2S+1N
SWI,trap 2S+1N
MUL 1S+ml
MLA 1S+(m+1)I
MULL 1S+(m+1)I
MLAL 1S+(m+2)I
CDP 1S+bI
LDC,STC (n-1)S+2N+bI
MCR 1N+bI+1C
MRC 1S+(b+1)I+1C
{cond} false 1S
|
Q{D}ADD/SUB 1S+Interlock.
CLZ 1S.
LDR 1S+1N+1L
LDRB,LDRH,LDRmis 1S+1N+2L
LDR PC ...
STR 1S+1N (not 2N, and both in parallel)
|
n = number of words transferred b = number of cycles spent in coprocessor busy-wait loop m = depends on most significant byte(s) of multiplier operand |
| CPU Versions |
| CPU Data Sheet |
Pins of the original CPU, probably other for GBA. |
Optional virtual memory circuits, etc. not for GBA. |
As far as I know, none such in GBA. |
For external hardware-based debugging. |
For external hardware-based debugging also. |
Detailed: What happens during each cycle of each instruction. |
http://www.arm.com/Documentation/UserMans/PDF/ARM7TDMI.html |
| NDS Reference |
| DS Technical Data |
1x ARM946E-S 32bit RISC CPU, 66MHz (NDS9 video) (not used in GBA mode) 1x ARM7TDMI 32bit RISC CPU, 33MHz (NDS7 sound) (16MHz in GBA mode) |
4096KB Main RAM (8192KB in debug version) 96KB WRAM (64K mapped to NDS7, plus 32K mappable to NDS7 or NDS9) 60KB TCM/Cache (TCM: 16K Data, 32K Code) (Cache: 4K Data, 8K Code) 656KB VRAM (allocateable as BG/OBJ/2D/3D/Palette/Texture/WRAM memory) 4KB OAM/PAL (2K OBJ Attribute Memory, 2K Standard Palette RAM) 248KB Internal 3D Memory (104K Polygon RAM, 144K Vertex RAM) ?KB Matrix Stack, 48 scanline cache 8KB Wifi RAM 256KB Firmware FLASH (512KB in iQue variant, with chinese charset) 36KB BIOS ROM (4K NDS9, 16K NDS7, 16K GBA) |
2x LCD screens (each 256x192 pixel, 3 inch, 18bit color depth, backlight) 2x 2D video engines (extended variants of the GBA's video controller) 1x 3D video engine (can be assigned to upper or lower screen) 1x video capture (for effects, or for forwarding 3D to the 2nd 2D engine) |
16 sound channels (16x PCM8/PCM16/IMA-ADPCM, 6x PSG-Wave, 2x PSG-Noise) 2 sound capture units (for echo effects, etc.) Output: Two built-in stereo speakers, and headphones socket Input: One built-in microphone, and microphone socket |
Gamepad 4 Direction Keys, 8 Buttons Touchscreen (on lower LCD screen) |
Wifi IEEE802.11b |
Built-in Real Time Clock Power Managment Device Hardware divide and square root functions CP15 System Control Coprocessor (cache, tcm, pu, bist, etc.) |
NDS Slot (for NDS games) (encrypted 8bit data bus, and serial 1bit bus) GBA Slot (for NDS expansions, or for GBA games) (but not for DMG/CGB games) |
ROM: 16MB, 32MB, or 64MB EEPROM/FLASH/FRAM: 0.5KB, 8KB, 64KB, 256KB, or 512KB |
NDS Cartridge (NDS mode) Firmware FLASH (NDS mode) (eg. by patching firmware via ds-xboo cable) Wifi (NDS mode) GBA Cartridge (GBA mode) (without DMG/CGB support) (without SIO support) |
Built-in rechargeable Lithium ion battery, 3.7V 1000mAh (DS-Lite) External Supply: 5.2V DC |
| DS I/O Maps |
4000000h 4 2D Engine A - DISPCNT - LCD Control (Read/Write) 4000004h 2 2D Engine A+B - DISPSTAT - General LCD Status (Read/Write) 4000006h 2 2D Engine A+B - VCOUNT - Vertical Counter (Read only) 4000008h 50h 2D Engine A (same registers as GBA, some changed bits) 4000060h 2 DISP3DCNT - 3D Display Control Register (R/W) 4000064h 4 DISPCAPCNT - Display Capture Control Register (R/W) 4000068h 4 DISP_MMEM_FIFO - Main Memory Display FIFO (R?/W) 400006Ch 2 2D Engine A - MASTER_BRIGHT - Master Brightness Up/Down |
40000B0h 30h DMA Channel 0..3 40000E0h 10h DMA FILL Registers for Channel 0..3 4000100h 10h Timers 0..3 4000130h 2 KEYINPUT 4000132h 2 KEYCNT |
4000180h 2 IPCSYNC - IPC Synchronize Register (R/W) 4000184h 2 IPCFIFOCNT - IPC Fifo Control Register (R/W) 4000188h 4 IPCFIFOSEND - IPC Send Fifo (W) 40001A0h 2 AUXSPICNT - Gamecard ROM and SPI Control 40001A2h 2 AUXSPIDATA - Gamecard SPI Bus Data/Strobe 40001A4h 4 Gamecard bus timing/control 40001A8h 8 Gamecard bus 8-byte command out 40001B0h 4 Gamecard Encryption Seed 0 Lower 32bit 40001B4h 4 Gamecard Encryption Seed 1 Lower 32bit 40001B8h 2 Gamecard Encryption Seed 0 Upper 7bit (bit8-15 unused) 40001BAh 2 Gamecard Encryption Seed 1 Upper 7bit (bit8-15 unused) |
4000204h 2 EXMEMCNT - External Memory Control (R/W) 4000208h 2 IME - Interrupt Master Enable (R/W) 4000210h 4 IE - Interrupt Enable (R/W) 4000214h 4 IF - Interrupt Request Flags (R/W) 4000240h 1 VRAMCNT_A - VRAM-A (128K) Bank Control (W) 4000241h 1 VRAMCNT_B - VRAM-B (128K) Bank Control (W) 4000242h 1 VRAMCNT_C - VRAM-C (128K) Bank Control (W) 4000243h 1 VRAMCNT_D - VRAM-D (128K) Bank Control (W) 4000244h 1 VRAMCNT_E - VRAM-E (64K) Bank Control (W) 4000245h 1 VRAMCNT_F - VRAM-F (16K) Bank Control (W) 4000246h 1 VRAMCNT_G - VRAM-G (16K) Bank Control (W) 4000247h 1 WRAMCNT - WRAM Bank Control (W) 4000248h 1 VRAMCNT_H - VRAM-H (32K) Bank Control (W) 4000249h 1 VRAMCNT_I - VRAM-I (16K) Bank Control (W) |
4000280h 2 DIVCNT - Division Control (R/W) 4000290h 8 DIV_NUMER - Division Numerator (R/W) 4000298h 8 DIV_DENOM - Division Denominator (R/W) 40002A0h 8 DIV_RESULT - Division Quotient (=Numer/Denom) (R/W?) 40002A8h 8 DIVREM_RESULT - Division Remainder (=Numer MOD Denom) (R/W?) 40002B0h 2 SQRTCNT - Square Root Control (R/W) 40002B4h 4 SQRT_RESULT - Square Root Result (R/W?) 40002B8h 8 SQRT_PARAM - Square Root Parameter Input (R/W) 4000300h 4 POSTFLG - Undoc 4000304h 2 POWCNT1 - Graphics Power Control Register (R/W) |
4000320h..6A3h |
4001000h 4 2D Engine B - DISPCNT - LCD Control (Read/Write) 4001008h 50h 2D Engine B (same registers as GBA, some changed bits) 400106Ch 2 2D Engine B - MASTER_BRIGHT - 16bit - Brightness Up/Down |
4100000h 4 IPCFIFORECV - IPC Receive Fifo (R) 4100010h 4 Gamecard bus 4-byte data in, for manual or dma read |
27FFD9Ch .. NDS9 Debug Stacktop / Debug Vector (0=None) DTCM+3FF8h 4 NDS9 IRQ Check Bits (hardcoded RAM address) DTCM+3FFCh 4 NDS9 IRQ Handler (hardcoded RAM address) |
27FFFFEh 2 Main Memory Control |
4000004h 2 DISPSTAT 4000006h 2 VCOUNT 40000B0h 30h DMA Channels 0..3 4000100h 10h Timers 0..3 4000120h 4 Debug SIODATA32 4000128h 4 Debug SIOCNT 4000130h 2 keyinput 4000132h 2 keycnt 4000134h 2 Debug RCNT 4000136h 2 EXTKEYIN 4000138h 1 RTC Realtime Clock Bus 4000180h 2 IPCSYNC - IPC Synchronize Register (R/W) 4000184h 2 IPCFIFOCNT - IPC Fifo Control Register (R/W) 4000188h 4 IPCFIFOSEND - IPC Send Fifo (W) 40001A0h 2 AUXSPICNT - Gamecard ROM and SPI Control 40001A2h 2 AUXSPIDATA - Gamecard SPI Bus Data/Strobe 40001A4h 4 Gamecard bus timing/control 40001A8h 8 Gamecard bus 8-byte command out 40001B0h 4 Gamecard Encryption Seed 0 Lower 32bit 40001B4h 4 Gamecard Encryption Seed 1 Lower 32bit 40001B8h 2 Gamecard Encryption Seed 0 Upper 7bit (bit8-15 unused) 40001BAh 2 Gamecard Encryption Seed 1 Upper 7bit (bit8-15 unused) 40001C0h 2 SPI bus Control (Firmware, Touchscreen, Powerman) 40001C2h 2 SPI bus Data |
4000204h 2 EXMEMSTAT - External Memory Status 4000206h 2 WIFIWAITCNT 4000208h 4 IME 4000210h 4 IE 4000214h 4 IF 4000240h 1 VRAMSTAT - VRAM-C,D Bank Status (R) 4000241h 1 WRAMSTAT - WRAM Bank Status (R) 4000300h 1 POSTFLG 4000301h 1 HALTCNT (different bits than on GBA) (plus NOP delay) 4000304h 2 POWCNT2 Sound/Wifi Power Control Register (R/W) 4000308h 4 BIOSPROT - Bios-data-read-protection address |
4000400h 100h Sound Channel 0..15 (10h bytes each) 40004x0h 4 SOUNDxCNT - Sound Channel X Control Register (R/W) 40004x4h 4 SOUNDxSAD - Sound Channel X Data Source Register (W) 40004x8h 2 SOUNDxTMR - Sound Channel X Timer Register (W) 40004xAh 2 SOUNDxPNT - Sound Channel X Loopstart Register (W) 40004xCh 4 SOUNDxLEN - Sound Channel X Length Register (W) 4000500h 2 SOUNDCNT - Sound Control Register (R/W) 4000504h 2 SOUNDBIAS - Sound Bias Register (R/W) 4000508h 1 SNDCAP0CNT - Sound Capture 0 Control Register (R/W) 4000509h 1 SNDCAP1CNT - Sound Capture 1 Control Register (R/W) 4000510h 4 SNDCAP0DAD - Sound Capture 0 Destination Address (R/W) 4000514h 2 SNDCAP0LEN - Sound Capture 0 Length (W) 4000518h 4 SNDCAP1DAD - Sound Capture 1 Destination Address (R/W) 400051Ch 2 SNDCAP1LEN - Sound Capture 1 Length (W) |
4100000h 4 IPCFIFORECV - IPC Receive Fifo (R) 4100010h 4 Gamecard bus 4-byte data in, for manual or dma read |
4800000h .. Wifi WS0 Region (32K) (Wifi Ports, and 8K Wifi RAM) 4808000h .. Wifi WS1 Region (32K) (mirror of above, other waitstates) |
380FFDCh .. NDS7 Debug Stacktop / Debug Vector (0=None) 380FFF8h 4 NDS7 IRQ Check Bits (hardcoded RAM address) 380FFFCh 4 NDS7 IRQ Handler (hardcoded RAM address) |
| DS Memory Maps |
00000000h Instruction TCM (32KB) (not moveable) (mirror-able to 1000000h) 0xxxx000h Data TCM (16KB) (moveable) 02000000h Main Memory (4MB) 03000000h Shared WRAM (0KB, 16KB, or 32KB can be allocated to ARM9) 04000000h ARM9-I/O Ports 05000000h Standard Palettes (2KB) (Engine A BG/OBJ, Engine B BG/OBJ) 06000000h VRAM - Engine A, BG VRAM (max 512KB) 06200000h VRAM - Engine B, BG VRAM (max 128KB) 06400000h VRAM - Engine A, OBJ VRAM (max 256KB) 06600000h VRAM - Engine B, OBJ VRAM (max 128KB) 06800000h VRAM - "LCDC"-allocated (max 656KB) 07000000h OAM (2KB) (Engine A, Engine B) 08000000h GBA Slot ROM (max. 32MB) 0A000000h GBA Slot RAM (max. 64KB) FFFF0000h ARM9-BIOS (32KB) (only 3K used) |
00000000h ARM7-BIOS (16KB) 02000000h Main Memory (4MB) 03000000h Shared WRAM (0KB, 16KB, or 32KB can be allocated to ARM7) 03800000h ARM7-WRAM (64KB) 04000000h ARM7-I/O Ports 04800000h Wireless Communications Wait State 0 (8KB RAM at 4804000h) 04808000h Wireless Communications Wait State 1 (I/O Ports at 4808000h) 06000000h VRAM allocated as Work RAM to ARM7 (max. 256K) 08000000h GBA Slot ROM (max. 32MB) 0A000000h GBA Slot RAM (max. 64KB) |
3D Engine Polygon RAM (52KBx2) 3D Engine Vertex RAM (72KBx2) Firmware (256KB) (built-in serial flash memory) GBA-BIOS (16KB) (not used in NDS mode) NDS Slot ROM (serial 8bit-bus, max. 4GB with default protocol) NDS Slot FLASH/EEPROM/FRAM (serial 1bit-bus) |
| DS Memory Control |
| DS Memory Control - Cache and TCM |
ITCM 32K, base=00000000h (fixed, not move-able) DTCM 16K, base=moveable (default base=27C0000h) |
Data Cache 4KB, Instruction Cache 8KB 4-way set associative method Cache line 8 words (32 bytes) Read-allocate method (ie. writes are not allocating cache lines) Round-robin and Pseudo-random replacement algorithms selectable Cache Lockdown, Instruction Prefetch, Data Preload Data write-through and write-back modes selectable |
Region Name Address Size Cache WBuf Code Data - Background 00000000h 4GB - - - - 0 I/O and VRAM 04000000h 64MB - - R/W R/W 1 Main Memory 02000000h 4MB On On R/W R/W 2 ARM7-dedicated 027C0000h 256KB - - - - 3 GBA Slot 08000000h 128MB - - - R/W 4 DTCM 027C0000h 16KB - - - R/W 5 ITCM 01000000h 32KB - - R/W R/W 6 BIOS FFFF0000h 32KB On - R R 7 Shared Work 027FF000h 4KB - - - R/W |
| DS Memory Control - Cartridges and Main RAM |
0-1 32-pin GBA Slot SRAM Access Time (0-3 = 10, 8, 6, 18 cycles) 2-3 32-pin GBA Slot ROM 1st Access Time (0-3 = 10, 8, 6, 18 cycles) 4 32-pin GBA Slot ROM 2nd Access Time (0-1 = 6, 4 cycles) 5-6 32-pin GBA Slot PHI-pin out (0-3 = Low, 4.19MHz, 8.38MHz, 16.76MHz) 7 32-pin GBA Slot Access Rights (0=ARM9, 1=ARM7) 8-10 Not used (always zero) 11 17-pin NDS Slot Access Rights (0=ARM9, 1=ARM7) 12 Not used (always zero) 13 Not used (always set ?) 14 Main Memory Interface Mode Switch (0=Async/GBA/Reserved, 1=Synchronous) 15 Main Memory Access Priority (0=ARM9 Priority, 1=ARM7 Priority) |
| DS Memory Control - WRAM |
0-1 ARM9/ARM7 (0-3 = 32K/0K, 2nd 16K/1st 16K, 1st 16K/2nd 16K, 0K/32K) 2-7 Not used |
| DS Memory Control - VRAM |
0 VRAM C enabled and allocated to NDS7 (0=No, 1=Yes) 1 VRAM D enabled and allocated to NDS7 (0=No, 1=Yes) 2-7 Not used (always zero) |
0-2 VRAM MST ;Bit2 not used by VRAM-A,B,H,I 3-4 VRAM Offset (0-3) ;Offset not used by VRAM-E,H,I 5-6 Not used 7 VRAM Enable (0=Disable, 1=Enable) |
VRAM SIZE MST OFS ARM9, Plain ARM9-CPU Access (so-called LCDC mode) A 128K 0 - 6800000h-681FFFFh B 128K 0 - 6820000h-683FFFFh C 128K 0 - 6840000h-685FFFFh D 128K 0 - 6860000h-687FFFFh E 64K 0 - 6880000h-688FFFFh F 16K 0 - 6890000h-6893FFFh G 16K 0 - 6894000h-6897FFFh H 32K 0 - 6898000h-689FFFFh I 16K 0 - 68A0000h-68A3FFFh VRAM SIZE MST OFS ARM9, 2D Graphics Engine A, BG-VRAM (max 512K) A,B,C,D 128K 1 0..3 6000000h+(20000h*OFS) E 64K 1 - 6000000h F,G 16K 1 0..3 6000000h+(4000h*OFS.0)+(10000h*OFS.1) VRAM SIZE MST OFS ARM9, 2D Graphics Engine A, OBJ-VRAM (max 256K) A,B 128K 2 0..1 6400000h+(20000h*OFS.0) ;(OFS.1 must be zero) E 64K 2 - 6400000h F,G 16K 2 0..3 6400000h+(4000h*OFS.0)+(10000h*OFS.1) VRAM SIZE MST OFS 2D Graphics Engine A, BG Extended Palette E 64K 4 - Slot 0-3 ;only lower 32K used F,G 16K 4 0..1 Slot 0-1 (OFS=0), Slot 2-3 (OFS=1) VRAM SIZE MST OFS 2D Graphics Engine A, OBJ Extended Palette F,G 16K 5 - Slot 0 ;16K each (only lower 8K used) VRAM SIZE MST OFS Texture/Rear-plane Image A,B,C,D 128K 3 0..3 Slot OFS(0-3) ;(Slot2-3: Texture, or Rear-plane) VRAM SIZE MST OFS Texture Palette E 64K 3 - Slots 0-3 ;OFS=don't care F,G 16K 3 0..3 Slot (OFS.0*1)+(OFS.1*4) ;ie. Slot 0, 1, 4, or 5 VRAM SIZE MST OFS ARM9, 2D Graphics Engine B, BG-VRAM (max 128K) C 128K 4 - 6200000h H 32K 1 - 6200000h I 16K 1 - 6208000h VRAM SIZE MST OFS ARM9, 2D Graphics Engine B, OBJ-VRAM (max 128K) D 128K 4 - 6600000h I 16K 2 - 6600000h VRAM SIZE MST OFS 2D Graphics Engine B, BG Extended Palette H 32K 2 - Slot 0-3 VRAM SIZE MST OFS 2D Graphics Engine B, OBJ Extended Palette I 16K 3 - Slot 0 ;(only lower 8K used) VRAM SIZE MST OFS <ARM7>, Plain <ARM7>-CPU Access C,D 128K 2 0..1 6000000h+(20000h*OFS.0) ;OFS.1 must be zero |
5000000h Engine A Standard BG Palette (512 bytes) 5000200h Engine A Standard OBJ Palette (512 bytes) 5000400h Engine B Standard BG Palette (512 bytes) 5000600h Engine B Standard OBJ Palette (512 bytes) 7000000h Engine A OAM (1024 bytes) 7000400h Engine B OAM (1024 bytes) |
| DS Memory Control - BIOS |
Opcodes at... Can read from Expl. 0..[BIOSPROT]-1 0..3FFFh Double-protected (when BIOSPROT is set) [BIOSPROT]..3FFFh [BIOSPROT]..3FFFh Normal-protected (always active) |
05ECh ldrb r3,[r3,12h] ;requires incoming r3=src-12h 05EEh pop r2,r4,r6,r7,r15 ;requires dummy values & THUMB retadr on stack |
| DS Memory Timings |
Bus clock = 33MHz (33.513982 MHz) (1FF61FEh Hertz) NDS7 clock = 33MHz (same as bus clock) NDS9 clock = 66MHz (internally twice bus clock; for cache/tcm) |
NDS7/CODE NDS9/CODE N32 S32 N16 S16 Bus N32 S32 N16 S16 Bus 9 2 8 1 16 9 9 4.5 4.5 16 Main RAM (read) (cache off) 1 1 1 1 32 4 4 2 2 32 WRAM,BIOS,I/O,OAM 2 2 1 1 16 5 5 2.5 2.5 16 VRAM,Palette RAM 16 12 10 6 16 19 19 9.5 9.5 16 GBA ROM (example 10,6 access) - - - - - 0.5 0.5 0.5 0.5 32 TCM, Cache_Hit - - - - - (--Load 8 words--) Cache_Miss |
NDS7/DATA NDS9/DATA N32 S32 N16 S16 Bus N32 S32 N16 S16 Bus 10 2 9 1 16 10 2 9 1 16 Main RAM (read) (cache off) 1 1 1 1 32 4 1 4 1 32 WRAM,BIOS,I/O,OAM 1? 2 1 1 16 5 2 4 1 16 VRAM,Palette RAM 15 12 9 6 16 19 12 13 6 16 GBA ROM (example 10,6 access) 9 10 9 10 8 13 10 13 10 8 GBA RAM (example 10 access) - - - - - 0.5 0.5 0.5 - 32 TCM, Cache_Hit - - - - - (--Load 8 words--) Cache_Miss - - - - - 11 11 11 - 32 Cache_Miss (BIOS) - - - - - 23 23 23 - 16 Cache_Miss (Main RAM) |
S16 and N16 do not exist (because thumb-double-fetching) (see there). S32 becomes N32 (ie. the ARM9 does NOT support fast sequential timing). |
Eg. an ARM9 N32 or S32 to 16bit bus will take: N16 + S16 + 3 waits. Eg. an ARM9 N32 or S32 to 32bit bus will take: N32 + 3 waits. |
Eg. LDRH on 16bit-data-bus is N16+3waits. Eg. LDR on 16bit-data-bus is N16+S16+3waits. Eg. LDM on 16bit-data-bus is N16+(n*2-1)*S16+3waits. |
That is NOT true for LDM (works only for LDR/LDRB/LDRH). That is NOT true for DATA in SAME memory region than CODE. That is NOT true for DATA in ITCM (no matter if CODE is in ITCM). |
| DS Video |
| DS Video Stuff |
0-4 Factor used for 6bit R,G,B Intensities (0-16, values >16 same as 16)
Brightness up: New = Old + (63-Old) * Factor/16
Brightness down: New = Old - Old * Factor/16
5-13 Not used
14-15 Mode (0=Disable, 1=Up, 2=Down, 3=Reserved)
|
write new LY values only in range of 202..212 write only while old LY values are in range of 202..212 |
Region______Engine A______________Engine B___________ I/O Ports 4000000h 4001000h Palette 5000000h (1K) 5000400h (1K) BG VRAM 6000000h (max 512K) 6200000h (max 128K) OBJ VRAM 6400000h (max 256K) 6600000h (max 128K) OAM 7000000h (1K) 7000400h (1K) |
Bit0-3 "COMMAND" (?) Bit4-7 "COMMAND2" (?) Bit8-11 "COMMAND3" (?) |
| DS Video BG Modes / Control |
Bit Engine Expl. 0-2 A+B BG Mode 3 A BG0 2D/3D Selection (instead CGB Mode) (0=2D, 1=3D) 4 A+B Tile OBJ Mapping (0=2D; max 32KB, 1=1D; max 32KB..256KB) 5 A+B Bitmap OBJ 2D-Dimension (0=128x512 dots, 1=256x256 dots) 6 A+B Bitmap OBJ Mapping (0=2D; max 128KB, 1=1D; max 128KB..256KB) 7-15 A+B Same as GBA 16-17 A+B Display Mode (Engine A: 0..3, Engine B: 0..1, GBA: Green Swap) 18-19 A VRAM block (0..3=VRAM A..D) (For Capture & above Display Mode=2) 20-21 A+B Tile OBJ 1D-Boundary (see Bit4) 22 A Bitmap OBJ 1D-Boundary (see Bit5-6) 23 A+B OBJ Processing during H-Blank (was located in Bit5 on GBA) 24-26 A Character Base (in 64K steps) (merged with 16K step in BGxCNT) 27-29 A Screen Base (in 64K steps) (merged with 2K step in BGxCNT) 30 A+B BG Extended Palettes (0=Disable, 1=Enable) 31 A+B OBJ Extended Palettes (0=Disable, 1=Enable) |
Mode BG0 BG1 BG2 BG3 0 Text/3D Text Text Text 1 Text/3D Text Text Affine 2 Text/3D Text Affine Affine 3 Text/3D Text Text Extended 4 Text/3D Text Affine Extended 5 Text/3D Text Extended Extended 6 3D - Large - |
BGxCNT.Bit7 BGxCNT.Bit2 Extended Affine Mode Selection 0 CharBaseLsb rot/scal with 16bit bgmap entries (Text+Affine mixup) 1 0 rot/scal 256 color bitmap 1 1 rot/scal direct color bitmap |
0 Display off (screen becomes white) 1 Graphics Display (normal BG and OBJ layers) 2 Engine A only: VRAM Display (Bitmap from block selected in DISPCNT.18-19) 3 Engine A only: Main Memory Display (Bitmap DMA transfer from Main RAM) |
engine A screen base: BGxCNT.bits*2K + DISPCNT.bits*64K engine B screen base: BGxCNT.bits*2K + 0 engine A char base: BGxCNT.bits*16K + DISPCNT.bits*64K engine B char base: BGxCNT.bits*16K + 0 |
bgcnt size text rotscal bitmap large bmp 0 256x256 128x128 128x128 512x1024 1 512x256 256x256 256x256 1024x512 2 256x512 512x512 512x256 - 3 512x512 1024x1024 512x512 - |
(BG0: 0=Slot0, 1=Slot2, BG1: 0=Slot1, 1=Slot3) |
| DS Video OBJs |
Bit4 Bit20-21 Dimension Boundary Total ;Notes 0 x 2D 32 32K ;Same as GBA 2D Mapping 1 0 1D 32 32K ;Same as GBA 1D Mapping 1 1 1D 64 64K 1 2 1D 128 128K 1 3 1D 256 256K ;Engine B: 128K max |
Bit6 Bit5 Bit22 Dimension Boundary Total ;Notes 0 0 x 2D/128 dots 8x8 dots 128K ;Source Bitmap width 128 dots 0 1 x 2D/256 dots 8x8 dots 128K ;Source Bitmap width 256 dots 1 0 0 1D 128 bytes 128K ;Source Width = Target Width 1 0 1 1D 256 bytes 256K ;Engine A only 1 1 x Reserved |
1D_BitmapVramAddress = TileNumber(0..3FFh) * BoundaryValue(128..256) 2D_BitmapVramAddress = (TileNo AND MaskX)*10h + (TileNo AND NOT MaskX)*80h |
| DS Video Extended Palettes |
standard palette --> 16-color tiles (with 16bit bgmap entries) (text)
256-color tiles (with 8bit bgmap entries) (rot/scal)
256-color bitmaps
backdrop-color (color 0)
extended palette --> 256-color tiles (with 16bit bgmap entries)(text,rot/scal)
|
16 colors x 16 palettes --> standard palette memory (=256 colors) 256 colors x 16 palettes --> extended palette memory (=4096 colors) |
| DS Video Capture and Main Memory Display Mode |
0-4 EVA (0..16 = Blending Factor for Source A) 5-7 Not used 8-12 EVB (0..16 = Blending Factor for Source B) 13-15 Not used 16-17 VRAM Write Block (0..3 = VRAM A..D) (VRAM must be allocated to LCDC) 18-19 VRAM Write Offset (0=00000h, 0=08000h, 0=10000h, 0=18000h) 20-21 Capture Size (0=128x128, 1=256x64, 2=256x128, 3=256x192 dots) 22-23 Not used 24 Source A (0=Graphics Screen BG+3D+OBJ, 1=3D Screen) 25 Source B (0=VRAM, 1=Main Memory Display FIFO) 26-27 VRAM Read Offset (0=00000h, 0=08000h, 0=10000h, 0=18000h) 28 Not used 29-30 Capture Source (0=Source A, 1=Source B, 2/3=Sources A+B blended) 31 Capture Enable (0=Disable/Ready, 1=Enable/Busy) |
Dest_Intensity = ( (SrcA_Intensitity * SrcA_Alpha * EVA)
+ (SrcB_Intensitity * SrcB_Alpha * EVB) ) / 16
Dest_Alpha = (SrcA_Alpha AND (EVA>0)) OR (SrcB_Alpha AND EVB>0))
|
- to Screen A (set DISPCNT to Main Memory Display mode), or - to Display Capture unit (set DISPCAPCNT to Main Memory Source). |
| DS Video Display System Block Diagram |
_____________ __________
VRAM A -->| 2D Graphics |--------OBJ->| |
VRAM B -->| Engine A |--------BG3->| Layering |
VRAM C -->| |--------BG2->| and |
VRAM D -->| |--------BG1->| Special |
VRAM E -->| | ___ | Effects |
VRAM F -->| |->|SEL| | | ______
VRAM G -->| - - - - - - | |BG0|-BG0->| |----+--->| |
| 3D Graphics |->|___| |__________| | |Select|
| Engine | | |Video |
|_____________|--------3D----------------+ | |Input |
_______ _______ ___ | | | |
| | | |<-----------|SEL|<-+ | |and |-->
| | | | _____ |A | | | |
VRAM A <--|Select | |Select | | |<-|___|<----+ |Master|
VRAM B <--|Capture|<---|Capture|<--|Blend| ___ |Bright|
VRAM C <--|Dest. | |Source | |_____|<-|SEL|<----+ |A |
VRAM D <--| | | | |B | | | |
|_______| |_______|<-----------|___|<-+ | | |
_______ | | | |
VRAM A -->|Select | | | | |
VRAM B -->|Display|--------------------------------+------>| |
VRAM C -->|VRAM | | | |
VRAM D -->|_______| _____________ | | |
|Main Memory | | | |
Main ------DMA---->|Display FIFO |------------------+--->|______|
Memory |_____________|
_____________ __________ ______
VRAM C -->| 2D Graphics |--------OBJ->| Layering | | |
VRAM D -->| Engine B |--------BG3->| and | |Master|
VRAM H -->| |--------BG2->| Special |-------->|Bright|-->
VRAM I -->| |--------BG1->| Effects | |B |
|_____________|--------BG0->|__________| |______|
|
| DS 3D Video |
| DS 3D Overview |
| DS 3D I/O Map |
Address Siz Name Expl. 4000060h 2 DISP3DCNT 3D Display Control Register (R/W) 4000320h 1 RDLINES_COUNT Rendered Line Count Register (R) 4000330h 10h EDGE_COLOR Edge Colors 0..7 (W) 4000340h 1 ALPHA_TEST_REF Alpha-Test Comparision Value (W) 4000350h 4 CLEAR_COLOR Clear Color Attribute Register (W) 4000354h 2 CLEAR_DEPTH Clear Depth Register (W) 4000356h 2 CLRIMAGE_OFFSET Rear-plane Bitmap Scroll Offsets (W) 4000358h 4 FOG_COLOR Fog Color (W) 400035Ch 2 FOG_OFFSET Fog Offset (W) 4000360h 20h FOG_TABLE Fog Density Table, 32 entries (W) 4000380h 40h TOON_TABLE Toon Table, 32 colors (W) 4000400h 40h GXFIFO Geometry Command FIFO (W) 4000440h ... ... Geometry Command Ports (see below) 4000600h 4 GXSTAT Geometry Engine Status Register (R and R/W) 4000604h 4 RAM_COUNT Polygon List & Vertex RAM Count Register (R) 4000610h 2 DISP_1DOT_DEPTH 1-Dot Polygon Display Boundary Depth (W) 4000620h 10h POS_RESULT Position Test Results (R) 4000630h 6 VEC_RESULT Vector Test Results (R) 4000640h 40h CLIPMTX_RESULT Read Current Clip Coordinates Matrix (R) 4000680h 24h VECMTX_RESULT Read Current Directional Vector Matrix (R) |
Address Cmd Pa.Cy. N/A 00h - - NOP - No Operation (for padding packed GXFIFO commands) 4000440h 10h 1 1 MTX_MODE - Set Matrix Mode (W) 4000444h 11h - 17 MTX_PUSH - Push Current Matrix on Stack (W) 4000448h 12h 1 36 MTX_POP - Pop Current Matrix from Stack (W) 400044Ch 13h 1 17 MTX_STORE - Store Current Matrix on Stack (W) 4000450h 14h 1 36 MTX_RESTORE - Restore Current Matrix from Stack (W) 4000454h 15h - 19 MTX_IDENTITY - Load Unit Matrix to Current Matrix (W) 4000458h 16h 16 34 MTX_LOAD_4x4 - Load 4x4 Matrix to Current Matrix (W) 400045Ch 17h 12 30 MTX_LOAD_4x3 - Load 4x3 Matrix to Current Matrix (W) 4000460h 18h 16 35* MTX_MULT_4x4 - Multiply Current Matrix by 4x4 Matrix (W) 4000464h 19h 12 31* MTX_MULT_4x3 - Multiply Current Matrix by 4x3 Matrix (W) 4000468h 1Ah 9 28* MTX_MULT_3x3 - Multiply Current Matrix by 3x3 Matrix (W) 400046Ch 1Bh 3 22 MTX_SCALE - Multiply Current Matrix by Scale Matrix (W) 4000470h 1Ch 3 22* MTX_TRANS - Mult. Curr. Matrix by Translation Matrix (W) 4000480h 20h 1 1 COLOR - Directly Set Vertex Color (W) 4000484h 21h 1 9* NORMAL - Set Normal Vector (W) 4000488h 22h 1 1 TEXCOORD - Set Texture Coordinates (W) 400048Ch 23h 2 9 VTX_16 - Set Vertex XYZ Coordinates (W) 4000490h 24h 1 8 VTX_10 - Set Vertex XYZ Coordinates (W) 4000494h 25h 1 8 VTX_XY - Set Vertex XY Coordinates (W) 4000498h 26h 1 8 VTX_XZ - Set Vertex XZ Coordinates (W) 400049Ch 27h 1 8 VTX_YZ - Set Vertex YZ Coordinates (W) 40004A0h 28h 1 8 VTX_DIFF - Set Relative Vertex Coordinates (W) 40004A4h 29h 1 1 POLYGON_ATTR - Set Polygon Attributes (W) 40004A8h 2Ah 1 1 TEXIMAGE_PARAM - Set Texture Parameters (W) 40004ACh 2Bh 1 1 PLTT_BASE - Set Texture Palette Base Address (W) 40004C0h 30h 1 4 DIF_AMB - MaterialColor0 - Diffuse/Ambient Reflect. (W) 40004C4h 31h 1 4 SPE_EMI - MaterialColor1 - Specular Ref. & Emission (W) 40004C8h 32h 1 6 LIGHT_VECTOR - Set Light's Directional Vector (W) 40004CCh 33h 1 1 LIGHT_COLOR - Set Light Color (W) 40004D0h 34h 32 32 SHININESS - Specular Reflection Shininess Table (W) 4000500h 40h 1 1 BEGIN_VTXS - Start of Vertex List (W) 4000504h 41h - 1 END_VTXS - End of Vertex List (W) 4000540h 50h 1 392 SWAP_BUFFERS - Swap Rendering Engine Buffer (W) 4000580h 60h 1 1 VIEWPORT - Set Viewport (W) 40005C0h 70h 3 103 BOX_TEST - Test if Cuboid Sits inside View Volume (W) 40005C4h 71h 2 9 POS_TEST - Set Position Coordinates for Test (W) 40005C8h 72h 1 5 VEC_TEST - Set Directional Vector for Test (W) |
| DS 3D Display Control |
0 Texture Mapping (0=Disable, 1=Enable) 1 PolygonAttr Shading (0=Toon Shading, 1=Highlight Shading) 2 Alpha-Test (0=Disable, 1=Enable) (see ALPHA_TEST_REF) 3 Alpha-Blending (0=Disable, 1=Enable) (see various Alpha values) 4 Anti-aliasing (0=Disable, 1=Enable) 5 Edge-marking (0=Disable, 1=Enable) (see EDGE_COLOR) 6 Fog Mode (0=Alpha and Color, 1=Only Alpha) (see FOG_COLOR) 7 Fog Master Enable (0=Disable, 1=Enable) 8-11 Fog Shift (0..10; SHR-Divider) (see FOG_OFFSET) 12 Color Buffer RDLINES Underflow (0=None, 1=Underflow/Acknowledge) 13 Polygon/Vertex RAM Overflow (0=None, 1=Overflow/Acknowledge) 14 Rear-Plane Mode (0=Blank, 1=Bitmap) 15-31 Not used |
0 Translucent polygon Y-sorting (0=Auto-sort, 1=Manual-sort)
1 Depth Buffering (0=With Z-value, 1=With W-value)
(mode 1 does not function properly with orthogonal projections)
2-31 Not used
|
0-7 Screen/BG0 Coordinate X1 (0..255) (For Fullscreen: 0=Left-most) 8-15 Screen/BG0 Coordinate Y1 (0..191) (For Fullscreen: 0=Bottom-most) 16-23 Screen/BG0 Coordinate X2 (0..255) (For Fullscreen: 255=Right-most) 24-31 Screen/BG0 Coordinate Y2 (0..191) (For Fullscreen: 191=Top-most) |
0-14 W-Coordinate (Unsigned, 12bit integer, 3bit fractional part) 15-31 Not used (0000h=Closest, 7FFFh=Most Distant) |
0-4 Alpha-Test Comparision Value (0..31) (Hide pixels if Alpha<AlphaRef) 5-31 Not used |
| DS 3D Geometry Commands |
0-7 First Packed Command (or Unpacked Command) 8-15 Second Packed Command (or 00h=None) 16-23 Third Packed Command (or 00h=None) 24-31 Fourth Packed Command (or 00h=None) |
0-31 Parameter data for the previously sent (packed) command(s) |
- command1 (upper 24bit zero) - parameter(s) for command1 (if any) - command2 (upper 24bit zero) - parameter(s) for command2 (if any) - command3 (upper 24bit zero) - parameter(s) for command3 (if any) |
- command1,2,3,4 packed into one 32bit value (all bits used) - parameter(s) for command1 (if any) - parameter(s) for command2 (if any) - parameter(s) for command3 (if any) - parameter(s) for command4 (top-most packed command MUST have parameters) - command5,6 packed into one 32bit value (upper 16bit zero) - parameter(s) for command5 (if any) - parameter(s) for command6 (top-most packed command MUST have parameters) - command7,8,9 packed into one 32bit value (upper 8bit zero) - parameter(s) for command7 (if any) - parameter(s) for command8 (if any) - parameter(s) for command9 (top-most packed command MUST have parameters) |
| DS 3D Matrix Load/Multiply |
0-1 Matrix Mode (0..3)
0 Projection Matrix
1 Position Matrix (aka Modelview Matrix)
2 Position & Vector Simultaneous Set mode (used for Light+VEC_TEST)
3 Texture Matrix (see DS 3D Texture Coordinates chapter)
2-31 Not used
|
| DS 3D Matrix Types |
_ 4x4 Matrix _ _ Identity Matrix _ | m[0] m[1] m[2] m[3] | | 1.0 0 0 0 | | m[4] m[5] m[6] m[7] | | 0 1.0 0 0 | | m[8] m[9] m[10] m[11] | | 0 0 1.0 0 | |_m[12] m[13] m[14] m[15]_| |_ 0 0 0 1.0 _| |
_ 4x3 Matrix _ _ Translation Matrix _ | m[0] m[1] m[2] 0 | | 1.0 0 0 0 | | m[3] m[4] m[5] 0 | | 0 1.0 0 0 | | m[6] m[7] m[8] 0 | | 0 0 1.0 0 | |_m[9] m[10] m[11] 1.0 _| |_m[0] m[1] m[2] 1.0 _| |
_ 3x3 Matrix _ _ Scale Matrix _ | m[0] m[1] m[2] 0 | | m[0] 0 0 0 | | m[3] m[4] m[5] 0 | | 0 m[1] 0 0 | | m[6] m[7] m[8] 0 | | 0 0 m[2] 0 | |_ 0 0 0 1.0 _| |_ 0 0 0 1.0 _| |
| DS 3D Matrix Stack |
Matrix Stack Valid Stack Area Stack Pointer Projection Stack 0..0 (1 entry) 0..1 (1bit) (GXSTAT: 1bit) Coordinate Stack 0..30 (31 entries) 0..63 (6bit) (GXSTAT: 5bit only) Directional Stack 0..30 (31 entries) (uses Coordinate Stack Pointer) Texture Stack One..None? 0..1 (1bit) (GXSTAT: N/A) |
Parameter Bit0-5: Stack Offset (signed value, -30..+31) (usually +1) Parameter Bit6-31: Not used |
Parameter Bit0-4: Stack Address (0..30) (31 causes overflow in GXSTAT.15) Parameter Bit5-31: Not used |
Parameter Bit0-4: Stack Address (0..30) (31 causes overflow in GXSTAT.15) Parameter Bit5-31: Not used |
| DS 3D Matrix Examples (Projection) |
Perspective Projection Orthogonal Projection
___ __________
top ___---- | top | |
| view | | view |
Eye ----|--------->| Eye ----|--------->|
|__volume | | volume |
bottom ----___| bottom|__________|
near far near far
|
| (2.0)/(r-l) 0 0 0 | | 0 (2.0)/(t-b) 0 0 | | 0 0 (2.0)/(n-f) 0 | | (l+r)/(l-r) (b+t)/(b-t) (n+f)/(n-f) 1.0 | |
| (2*n)/(r-l) 0 0 0 | | 0 (2*n)/(t-b) 0 0 | | (r+l)/(r-l) (t+b)/(t-b) (n+f)/(n-f) -1.0 | | 0 0 (2*n*f)/(n-f) 0 | |
| cos/(asp*sin) 0 0 0 | | 0 cos/sin 0 0 | | 0 0 (n+f)/(n-f) -1.0 | | 0 0 (2*n*f)/(n-f) 0 | |
| DS 3D Matrix Examples (Rotate/Scale/Translate) |
Load(Identity) ;no rotation/scaling used Load(Identity), Mul(Rotate), Mul(Scale) ;rotation/scaling (not so efficient) Load(Rotate), Mul(Scale) ;rotation/scaling (more efficient) |
Around X-Axis Around Y-Axis Around Z-Axis | 1.0 0 0 | | cos 0 sin | | cos sin 0 | | 0 cos sin | | 0 1.0 0 | | -sin cos 0 | | 0 -sin cos | | -sin 0 cos | | 0 0 1.0 | |
| DS 3D Matrix Examples (Maths Basics) |
| c11 c12 c13 c14 | | a11 a12 a13 a14 | | b11 b12 b13 b14 | | c21 c22 c23 c24 | = | a21 a22 a23 a24 | * | b21 b22 b23 b24 | | c31 c32 c33 c34 | | a31 a32 a33 a34 | | b31 b32 b33 b34 | | c41 c42 c43 c44 | | a41 a42 a43 a44 | | b41 b42 b43 b44 | |
cyx = ay1*b1x + ay2*b2x + ay3*b3x + ay4*b4x |
| b11 b12 b13 b14 |
| c11 c12 c13 c14 | = | a11 a12 a13 a14 | * | b21 b22 b23 b24 |
| b31 b32 b33 b34 |
| b41 b42 b43 b44 |
|
cyx = ay1*b1x + ay2*b2x + ay3*b3x + ay4*b4x |
cyx = ayx*n |
cyx = ayx +/- byx |
cyx = ay1*b1x + ay2*b2x + ay3*b3x + ay4*b4x |
| DS 3D Polygon Attributes |
0-3 Light 0..3 Enable Flags (each bit: 0=Disable, 1=Enable) 4-5 Polygon Mode (0=Modulation,1=Decal,2=Toon/Highlight Shading,3=Shadow) 6 Polygon Back Surface (0=Hide, 1=Render) ;Line-segments are always 7 Polygon Front Surface (0=Hide, 1=Render) ;rendered (no front/back) 8-10 Not used 11 Depth-value for Translucent Polygons (0=Keep Old, 1=Set New Depth) 12 Far-plane intersecting polygons (0=Hide, 1=Render/clipped) 13 1-Dot polygons behind DISP_1DOT_DEPTH (0=Hide, 1=Render) 14 Depth Test, Draw Pixels with Depth (0=Less, 1=Equal) (usually 0) 15 Fog Enable (0=Disable, 1=Enable) 16-20 Alpha (0=Wire-Frame, 1..30=Translucent, 31=Solid) 21-23 Not used 24-29 Polygon ID (00h..3Fh, used for translucent, shadow, and edge-marking) 30-31 Not used |
Parameter 1, Bit 0-4 Red Parameter 1, Bit 5-9 Green Parameter 1, Bit 10-14 Blue Parameter 1, Bit 15-31 Not used |
| DS 3D Polygon Definitions by Vertices |
Separate Tri. Triangle Strips Line Segment v0 v2___v4____v6 |\ v3 /|\ |\ /\ v0 v1 | \ /\ v0( | \ | \ / \ ------ |__\ /__\ \|__\|__\/____\ v2 v1 v2 v4 v5 v1 v3 v5 v7 |
Separate Quads Quadliteral Strips Prohibited Quads
v0__v3 v0__v2____v4 v10__ v0__v3 v4
/ \ v4____v7 / \ |\ _____ / /v11 \/ |\
/ \ | \ / \ | |v6 v8| / /\ v5| \
/______\ |_____\ /______\___|_|_____|/ /__\ /___\
v1 v2 v5 v6 v1 v3 v5 v7 v9 v2 v1 v6 v7
|
Parameter 1, Bit 0-1 Primitive Type (0..3, see below) Parameter 1, Bit 2-31 Not used |
0 Separate Triangle(s) ;3*N vertices per N triangles 1 Separate Quadliteral(s) ;4*N vertices per N quads 2 Triangle Strips ;3+(N-1) vertices per N triangles 3 Quadliteral Strips ;4+(N-1)*2 vertices per N quads |
Parameter 1, Bit 0-15 X-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Y-Coordinate (signed, with 12bit fractional part) Parameter 2, Bit 0-15 Z-Coordinate (signed, with 12bit fractional part) Parameter 2, Bit 16-31 Not used |
Parameter 1, Bit 0-9 X-Coordinate (signed, with 6bit fractional part) Parameter 1, Bit 10-19 Y-Coordinate (signed, with 6bit fractional part) Parameter 1, Bit 20-29 Z-Coordinate (signed, with 6bit fractional part) Parameter 1, Bit 30-31 Not used |
Parameter 1, Bit 0-15 X-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Y-Coordinate (signed, with 12bit fractional part) |
Parameter 1, Bit 0-15 X-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Z-Coordinate (signed, with 12bit fractional part) |
Parameter 1, Bit 0-15 Y-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Z-Coordinate (signed, with 12bit fractional part) |
Parameter 1, Bit 0-9 X-Difference (signed, with 9bit fractional part) Parameter 1, Bit 10-19 Y-Difference (signed, with 9bit fractional part) Parameter 1, Bit 20-29 Z-Difference (signed, with 9bit fractional part) Parameter 1, Bit 30-31 Not used |
( xx, yy, zz, ww ) = ( x, y, z, 1.0 ) * ClipMatrix |
screen_x = (xx+ww)*viewport_width / (2*ww) + viewport_x1 screen_y = (yy+ww)*viewport_height / (2*ww) + viewport_y1 |
| DS 3D Polygon Light Parameters |
0-9 Directional Vector's X component (1bit sign + 9bit fractional part) 10-19 Directional Vector's Y component (1bit sign + 9bit fractional part) 20-29 Directional Vector's Z component (1bit sign + 9bit fractional part) 30-31 Light Number (0..3) |
0-4 Red (0..1Fh) ;\light color this will be combined with 5-9 Green (0..1Fh) ; diffuse, specular, and ambient colors 10-14 Blue (0..1Fh) ;/upon execution of the normal command 15-29 Not used 30-31 Light Number (0..3) |
0-4 Diffuse Reflection Red ;\light(s) that directly hits the polygon, 5-9 Diffuse Reflection Green ; ie. max when NormalVector has opposite 10-14 Diffuse Reflection Blue ;/direction of LightVector 15 Set Vertex Color (0=No, 1=Set Diffuse Reflection Color as Vertex Color) 16-20 Ambient Reflection Red ;\light(s) that indirectly hits the polygon, 21-25 Ambient Reflection Green ; ie. assuming that light is reflected by 26-30 Ambient Reflection Blue ;/walls/floor, regardless of LightVector 31 Not used |
0-4 Specular Reflection Red ;\light(s) reflected towards the camera, 5-9 Specular Reflection Green ; ie. max when NormalVector is in middle of 10-14 Specular Reflection Blue ;/LightVector and ViewDirection 15 Specular Reflection Shininess Table (0=Disable, 1=Enable) 16-20 Emission Red ;\light emitted by the polygon itself, 21-25 Emission Green ; ie. regardless of light colors/vectors, 26-30 Emission Blue ;/and no matter if any lights are enabled 31 Not used |
0-7 Shininess 0 (unsigned fixed-point, 0bit integer, 8bit fractional part)
8-15 Shininess 1 ("")
16-23 Shininess 2 ("")
24-31 Shininess 3 ("")
|
0-9 X-Component of Normal Vector (1bit sign + 9bit fractional part) 10-19 Y-Component of Normal Vector (1bit sign + 9bit fractional part) 20-29 Z-Component of Normal Vector (1bit sign + 9bit fractional part) 30-31 Not used |
IF TexCoordTransformMode=2 THEN TexCoord=NormalVector*Matrix (see TexCoord)
NormalVector=NormalVector*DirectionalMatrix
VertexColor = EmissionColor
FOR i=0 to 3
IF PolygonAttrLight[i]=enabled THEN
DiffuseLevel = max(0,-(LightVector[i]*NormalVector))
ShininessLevel = max(0,(-HalfVector[i])*(NormalVector))^2
IF TableEnabled THEN ShininessLevel = ShininessTable[ShininessLevel]
;note: below processed separately for the R,G,B color components...
VertexColor = VertexColor + SpecularColor*LightColor[i]*ShininessLevel
VertexColor = VertexColor + DiffuseColor*LightColor[i]*DiffuseLevel
VertexColor = VertexColor + AmbientColor*LightColor[i]
ENDIF
NEXT i
|
LightVector[i] = (LightVector*DirectionalMatrix) HalfVector[i] = (LightVector[i]+LineOfSightVector)/2 |
LineOfSightVector = (0,0,-1.0) |
Specular Reflection WON'T WORK when the ProjectionMatrix is rotated (!) |
| DS 3D Shadow Polygons |
| DS 3D Texture Attributes |
Parameter 1, Bit 0-15 S-Coordinate (X-Coordinate in Texture Source) Parameter 1, Bit 16-31 T-Coordinate (Y-Coordinate in Texture Source) Both values are 1bit sign + 11bit integer + 4bit fractional part. A value of 1.0 (=1 SHL 4) equals to one Texel. |
0-15 Texture VRAM Offset div 8 (0..FFFFh -> 512K RAM in Slot 0,1,2,3)
(VRAM must be allocated as Texture data, see Memory Control chapter)
16 Repeat in S Direction (0=Freeze last texel-column, 1=Repeat Texture)
17 Repeat in T Direction (0=Freeze last texel-row, 1=Repeat Texture)
18 Flip in S Direction (0=No, 1=Flip each 2nd Texture) (requires Repeat)
19 Flip in T Direction (0=No, 1=Flip each 2nd Texture) (requires Repeat)
20-22 Texture S-Size (for N=0..7: Size=(8 SHL N); ie. 8..1024 texels)
23-25 Texture T-Size (for N=0..7: Size=(8 SHL N); ie. 8..1024 texels)
26-28 Texture Format (0..7, see below)
29 Color 0 of 4/16/256-Color Palettes (0=Displayed, 1=Made Transparent)
30-31 Texture Coordinates Transformation Mode (0..3, see below)
|
0 No Texture 1 A3I5 Translucent Texture 2 4-Color Palette Texture 3 16-Color Palette Texture 4 256-Color Palette Texture 5 4x4-Texel Compressed Texture 6 A5I3 Translucent Texture 7 Direct Texture |
0 Do not Transform texture coordinates 1 TexCoord source 2 Normal source 3 Vertex source |
No Repeat Repeat Repeat+Flip >------- >>>>>>>> ><><><>< |
0-12 Palette Base Address (div8 or div10h, see below)
(Not used for Texture Format 7: Direct Color Texture)
(0..FFF8h/8 for Texture Format 2: ie. 4-color-palette Texture)
(0..17FF0h/10h for all other Texture formats)
13-31 Not used
|
| DS 3D Texture Formats |
Bit0-4: Color Index (0..31) of a 32-color Palette Bit5-7: Alpha (0..7; 0=Transparent, 7=Solid) |
Bit0-2: Color Index (0..7) of a 8-color Palette Bit3-7: Alpha (0..31; 0=Transparent, 31=Solid) |
Bit0-7 Upper 4-Texel row (LSB=first/left-most Texel)
Bit8-15 Next 4-Texel row ("")
Bit16-23 Next 4-Texel row ("")
Bit24-31 Lower 4-Texel row ("")
|
Bit0-13 Palette Offset in 4-byte steps; Addr=(PLTT_BASE*10h)+(Offset*4) Bit14-15 Transparent/Interpolation Mode (0..3, see below) |
slot1_addr = slot0_addr / 2 ;lower 64K of Slot1 assoc to Slot0 slot1_addr = slot2_addr / 2 + 10000h ;upper 64K of Slot1 assoc to Slot2 |
Texel Mode 0 Mode 1 Mode 2 Mode 3 0 Color 0 Color0 Color 0 Color 0 1 Color 1 Color1 Color 1 Color 1 2 Color 2 (Color0+Color1)/2 Color 2 (Color0*5+Color1*3)/8 3 Transparent Transparent Color 3 (Color0*3+Color1*5)/8 |
| DS 3D Texture Coordinates |
( S' T' ) = ( S T ) |
| m[0] m[1] |
( S' T' ) = ( S T 1/16 1/16 ) * | m[4] m[5] |
| m[8] m[9] |
|_m[12] m[13]_|
|
| m[0] m[1] |
( S' T' ) = ( Nx Ny Nz 1.0 ) * | m[4] m[5] |
| m[8] m[9] |
|_S T _|
|
| m[0] m[1] |
( S' T' ) = ( Vx Vy Vz 1.0 ) * | m[4] m[5] |
| m[8] m[9] |
|_S T _|
|
| DS 3D Texture Blending |
R = ((Rt+1)*(Rv+1)-1)/64 G = ((Gt+1)*(Gv+1)-1)/64 B = ((Bt+1)*(Bv+1)-1)/64 A = ((At+1)*(Av+1)-1)/64 |
R = (Rt*At + Rv*(63-At))/64 ;except, when At=0: R=Rv, when At=31: R=Rt G = (Gt*At + Gv*(63-At))/64 ;except, when At=0: G=Gv, when At=31: G=Gt B = (Bt*At + Bv*(63-At))/64 ;except, when At=0: B=Bv, when At=31: B=Bt A = Av |
R = ((Rt+1)*(Rs+1)-1)/64 ;Rs=ToonTableRed[Rv] G = ((Gt+1)*(Gs+1)-1)/64 ;Gs=ToonTableGreen[Rv] B = ((Bt+1)*(Bs+1)-1)/64 ;Bs=ToonTableBlue[Rv] A = ((At+1)*(Av+1)-1)/64 |
R = ((Rt+1)*(Rs+1)-1)/64+Rs ;truncated to MAX=63 G = ((Gt+1)*(Gs+1)-1)/64+Gs ;truncated to MAX=63 B = ((Bt+1)*(Bs+1)-1)/64+Bs ;truncated to MAX=63 A = ((At+1)*(Av+1)-1)/64 |
| DS 3D Toon, Edge, Fog |
Bit0-4: Red, Bit5-9: Green, Bit10-14: Blue, Bit15: Not Used |
Bit0-4: Red, Bit5-9: Green, Bit10-14: Blue, Bit15: Not Used |
0-4 Fog Color, Red 5-9 Fog Color, Green 10-14 Fog Color, Blue 15 Not used 16-20 Fog Alpha 21-31 Not used |
0-14 Fog Offset (Unsigned) (0..7FFFh=Depth) (and FOG_SHIFT in DISP3DCNT) 15-31 Not used |
0-6 Fog Density (00h..7Fh = None..Full) (usually increasing values) 7 Not used |
Density[n] --> used at Depth = FOG_OFFSET+(400h SHR FOG_SHIFT)*(n+1) |
| DS 3D Status |
0 BoxTest,PositionTest,VectorTest Busy (0=Ready, 1=Busy) 1 BoxTest Result (0=All Outside View, 1=Parts or Fully Inside View) 2-7 Not used 8-12 Position & Vector Matrix Stack Level (0..31) (lower 5bit of 6bit value) 13 Projection Matrix Stack Level (0..1) 14 Matrix Stack Busy (0=No, 1=Yes; Currently executing a Push/Pop command) 15 Matrix Stack Overflow/Underflow Error (0=No, 1=Error/Acknowledge/Reset) 16-24 Number of 40bit-entries in Command FIFO (0..256) (24) Command FIFO Full (MSB of above) (0=No, 1=Yes; Full) 25 Command FIFO Less Than Half Full (0=No, 1=Yes; Less than Half-full) 26 Command FIFO Empty (0=No, 1=Yes; Empty) 27 Geometry Engine Busy (0=No, 1=Yes; Busy; Commands are executing) 28-29 Not used 30-31 Command FIFO IRQ (0=Never, 1=Less than half full, 2=Empty, 3=Reserved) |
0-11 Number of Polygons currently stored in Polygon List RAM (0..2048) 12-15 Not used 16-28 Number of Vertices currently stored in Vertex RAM (0..6144) 13-15 Not used |
0-5 Minimum Number (minus 2) of buffered lines in previous frame (0..46) 6-31 Not used |
| DS 3D Tests |
Parameter 1, Bit 0-15 X-Coordinate Parameter 1, Bit 16-31 Y-Coordinate Parameter 2, Bit 0-15 Z-Coordinate Parameter 2, Bit 16-31 Width (presumably: X-Offset?) Parameter 3, Bit 0-15 Height (presumably: Y-Offset?) Parameter 3, Bit 16-31 Depth (presumably: Z-Offset?) All values are 1bit sign, 3bit integer, 12bit fractional part |
Parameter 1, Bit 0-15 X-Coordinate Parameter 1, Bit 16-31 Y-Coordinate Parameter 2, Bit 0-15 Z-Coordinate Parameter 2, Bit 16-31 Not used All values are 1bit sign, 3bit integer, 12bit fractional part. |
Parameter 1, Bit 0-9 X-Component Parameter 1, Bit 10-19 Y-Component Parameter 1, Bit 20-29 Z-Component Parameter 1, Bit 30-31 Not used All values are 1bit sign, 9bit fractional part. |
| DS 3D Rear-Plane |
--> 2D Layers --> 3D Polygons --> 3D Rear-plane --> 2D Layers --> 2D Backdrop |
0-4 Clear Color, Red 5-9 Clear Color, Green 10-14 Clear Color, Blue 15 Fog (enables Fog to the rear-plane) (doesn't affect Fog of polygons) 16-20 Alpha 21-23 Not used 24-29 Clear Polygon ID (affects edge-marking, at the screen-edges?) 30-31 Not used |
0-14 Clear Depth (0..7FFFh) (usually 7FFFh = most distant) 15 Not used 16-31 See Port 4000356h, CLRIMAGE_OFFSET |
Rear Color Bitmap (presumably taken from Texture Slot 2, or 3?)
0-4 Clear Color, Red
5-9 Clear Color, Green
10-14 Clear Color, Blue
15 Alpha (0=Transparent, 1=Solid) (equivalent to 5bit-alpha 0 and 31)
Rear Depth Bitmap (presumably taken from Texture Slot 3, or 2?)
0-14 Clear Depth, expanded to 24bit as X=(X*200h)+((X+1)/8000h)*1FFh
15 Clear Fog (Initial fog enable value)
|
Bit0-7 X-Offset (0..255; 0=upper row of bitmap) Bit8-14 Y-Offset (0..255; 0=left column of bitmap) |
| DS 3D Final 2D Output |
Brightness up/down with BG0 as 1st Target via EVY (as for 2D) Blending with BG0 as 2nd Target via EVA/EVB (as for 2D) Blending with BG0 as 1st Target via 3D Alpha-values (unlike as for 2D) |
| DS Sound |
| DS Sound Channels 0..15 |
Bit0-6 Volume Mul (0..127=silent..loud) Bit7 Not used (always zero) Bit8-9 Volume Div (0=Normal, 1=Div2, 2=Div4, 3=Div16) Bit10-14 Not used (always zero) Bit15 Hold (0=Normal, 1=Hold last sample after one-shot sound) Bit16-22 Panning (0..127=left..right) (64=half volume on both speakers) Bit23 Not used (always zero) Bit24-26 Wave Duty (0..7) ;HIGH=(N+1)*12.5%, LOW=(7-N)*12.5% (PSG only) Bit27-28 Repeat Mode (0=Manual, 1=Loop Infinite, 2=One-Shot, 3=Prohibited) Bit29-30 Format (0=PCM8, 1=PCM16, 2=IMA-ADPCM, 3=PSG/Noise) Bit31 Start/Status (0=Stop, 1=Start/Busy) |
Bit0-26 Source Address (must be word aligned, bit0-1 are always zero) Bit27-31 Not used |
Bit0-15 Timer Value, Sample frequency, timerval=-(33513982/2)/freq |
Bit0-15 Loop Start, Sample loop start position
(counted in words, ie. N*4 bytes)
|
Bit0-21 Sound length (counted in words, ie. N*4 bytes) Bit22-31 Not used |
| DS Sound Control Registers |
Bit0-6 Master Volume (0..127=silent..loud) Bit7 Not used (always zero) Bit8-9 Left Output from (0=Left Mixer, 1=Ch1, 2=Ch3, 3=Ch1+Ch3) Bit10-11 Right Output from (0=Right Mixer, 1=Ch1, 2=Ch3, 3=Ch1+Ch3) Bit12 Output Ch1 to Mixer (0=Yes, 1=No) (both Left/Right) Bit13 Output Ch3 to Mixer (0=Yes, 1=No) (both Left/Right) Bit14 Not used (always zero) Bit15 Master Enable (0=Disable, 1=Enable) Bit16-31 Not used (always zero) |
Bit0-9 Sound Bias (0..3FFh, usually 200h) Bit10-31 Not used (always zero) |
| DS Sound Capture |
Bit0 Control of Associated Sound Channels (ANDed with Bit7)
SNDCAP0CNT: Output Sound Channel 1 (0=As such, 1=Add to Channel 0)
SNDCAP1CNT: Output Sound Channel 3 (0=As such, 1=Add to Channel 2)
Caution: Addition mode works only if BOTH Bit0 and Bit7 are set.
Bit1 Capture Source Selection
SNDCAP0CNT: Capture 0 Source (0=Left Mixer, 1=Channel 0/Bugged)
SNDCAP1CNT: Capture 1 Source (0=Right Mixer, 1=Channel 2/Bugged)
Bit2 Capture Repeat (0=Loop, 1=One-shot)
Bit3 Capture Format (0=PCM16, 1=PCM8)
Bit4-6 Not used (always zero)
Bit7 Capture Start/Status (0=Stop, 1=Start/Busy)
|
Bit0-26 Destination address (word aligned, bit0-1 are always zero) Bit27-31 Not used (always zero) |
Bit0-15 Buffer length (1..FFFFh words) (ie. N*4 bytes) Bit16-31 Not used |
1) Both Negative Bug - SNDCAPxCNT Bit1=1, Bit0=0 (addition disabled) Capture data is accidently set to -8000h if ch(a) and ch(b) are both <0. Otherwise the correct capture result is returned, ie. plain ch(a) data, not being affected by ch(b) (since addition is disabled). Workaround: Ensure that ch(a) and/or ch(b) are >=0 (or disabled). 2) Overflow Bug - SNDCAPxCNT Bit1=1, Bit0=1 (addition enabled) In this mode, Capture data isn't clipped to MinMax(-8000h,+7FFFh), instead, it is ANDed with FFFFh, so the sign bit is lost if the addition result ch(a)+ch(b) is less/greater than -8000h/+7FFFh. Workaround: Reduce ch(a)/ch(b) volume or data to avoid overflows. |
1) Addition Result for Capture(x) when using capture source=ch(a): Addition is performed always, no matter of SOUNDCNT.Bit12/13. And, no matter of ch(a) enable, result is plain ch(b) if ch(a) is disabled. Result is 16bit (plus fraction) with overflow error (see Capture Bugs). 2) Addition Result for Mixer (towards speakers, and capture source=mixer): Ch(b) is muted if ch(a) is disabled. Ch(b) is muted if ch(b) SOUNDCNT.Bit12/13 is set to "Ch(b) not to mixer". Result is 17bit (plus fraction) without overflow error. |
| DS Sound Block Diagrams |
_____
Ch0.L ------------->| | +------------------------------> to Capture 0
___ | | | ___
Ch1.L ---+->|Sel|-->| | | Ch0..Ch15 | |
| |___| |Left |--+---------------->| |
Ch2.L ---|--------->|Mixer| |Sel| ______ ____
| ___ | | Ch1 | | |Master| |Add |
Ch3.L -+-|->|Sel|-->| | +----------------->| |->|Volume|->|Bias|-> L
| | |___| | | | | | |______| |____|
Ch4.L -|-|--------->| | | Ch3 | |
... -|-|--------->| | | +--------------->| |
Ch15.L-|-|--------->|_____| | | ___ | |
| +------------------+-|->|Add| Ch1+Ch3 | |
+----------------------+->|___|-------->|___|
|
____ _________ ___ ___ ___ |FIFO|-->|Channel 0|-->|Vol|-->|Add|-+->|Pan|--> Ch0.L |____| |_________| |___| |___| | |___|--> Ch0.R ____ _________ ___ ^ | |FIFO|<--|Capture 0|<--|Sel|<----|---+ |____| |_ _____ _| |___|<----|-------------- Left Mixer ____ _:Timer:_ ___ _|_ ___ |FIFO|-->|Channel 1|-->|Vol|-->|Sel|--->|Pan|--> Ch1.L |____| |_________| |___| |___| |___|--> Ch1.R |
____ _________ ___ ___ |FIFO|-->|Channel 4|-->|Vol|----------->|Pan|--> Ch4.L |____| |_________| |___| |___|--> Ch4.R |
| DS Sound Notes |
data.vol = data*N/128 pan.left = data*(128-N)/128 pan.right = data*N/128 master.vol = data*N/128/64 |
Step Bits Min Max 0 Incoming PCM16 Data 16.0 -8000h +7FFFh 1 Volume Divider (div 1..16) 16.4 -8000h +7FFFh 2 Volume Factor (mul N/128) 16.11 -8000h +7FFFh 3 Panning (mul N/128) 16.18 -8000h +7FFFh 4 Rounding Down (strip 10bit) 16.8 -8000h +7FFFh 5 Mixer (add channel 0..15) 20.8 -80000h +7FFF0h 6 Master Volume (mul N/128/64) 14.21 -2000h +1FF0h 7 Strip fraction 14.0 -2000h +1FF0h 8 Add Bias (0..3FFh, def=200h) 15.0 -2000h+0 +1FF0h+3FFh 9 Clip (min/max 0h..3FFh) 10.0 0 +3FFh |
0 12.5% "_______-_______-_______-" 1 25.0% "______--______--______--" 2 37.5% "_____---_____---_____---" 3 50.0% "____----____----____----" 4 62.5% "___-----___-----___-----" 5 75.0% "__------__------__------" 6 87.5% "_-------_-------_-------" 7 0.0% "________________________" |
X=X SHR 1, IF carry THEN Out=LOW, X=X XOR 6000h ELSE Out=HIGH |
Bit0-15 Initial PCM16 Value (Pcm16bit = -7FFFh..+7FFF) (not -8000h) Bit16-22 Initial Table Index Value (Index = 0..88) Bit23-31 Not used (zero) |
Diff = ((Data4bit AND 7)*2+1)*AdpcmTable[Index]/8 ;see rounding-error IF (Data4bit AND 8)=0 THEN Pcm16bit = Max(Pcm16bit+Diff,+7FFFh) IF (Data4bit AND 8)=8 THEN Pcm16bit = Min(Pcm16bit-Diff,-7FFFh) Index = MinMax (Index+IndexTable[Data4bit AND 7],0,88) |
Diff = AdpcmTable[Index]/8 IF (data4bit AND 1) THEN Diff = Diff + AdpcmTable[Index]/4 IF (data4bit AND 2) THEN Diff = Diff + AdpcmTable[Index]/2 IF (data4bit AND 4) THEN Diff = Diff + AdpcmTable[Index]/1 |
Max(+7FFFh) leaves -8000h unclipped (can happen if initial PCM16 was -8000h) Min(-7FFFh) clips -8000h to -7FFFh (possibly unlike windows .WAV files?) |
0007h,0008h,0009h,000Ah,000Bh,000Ch,000Dh,000Eh,0010h,0011h,0013h,0015h 0017h,0019h,001Ch,001Fh,0022h,0025h,0029h,002Dh,0032h,0037h,003Ch,0042h 0049h,0050h,0058h,0061h,006Bh,0076h,0082h,008Fh,009Dh,00ADh,00BEh,00D1h 00E6h,00FDh,0117h,0133h,0151h,0173h,0198h,01C1h,01EEh,0220h,0256h,0292h 02D4h,031Ch,036Ch,03C3h,0424h,048Eh,0502h,0583h,0610h,06ABh,0756h,0812h 08E0h,09C3h,0ABDh,0BD0h,0CFFh,0E4Ch,0FBAh,114Ch,1307h,14EEh,1706h,1954h 1BDCh,1EA5h,21B6h,2515h,28CAh,2CDFh,315Bh,364Bh,3BB9h,41B2h,4844h,4F7Eh 5771h,602Fh,69CEh,7462h,7FFFh |
X=000776d2h, FOR I=0 TO 88, Table[I]=X SHR 16, X=X+(X/10), NEXT I Table[3]=000Ah, Table[4]=000Bh, Table[88]=7FFFh, Table[89..127]=0000h |
| DS System and Built-in Peripherals |
| DS DMA Transfers |
0 Start Immediately 1 Start at V-Blank 2 Start at H-Blank (paused during V-Blank) 3 Synchronize to start of display 4 Main memory display 5 DS Cartridge Slot 6 GBA Cartridge Slot 7 Geometry Command FIFO |
0 Start Immediately 1 Start at V-Blank 2 DS Cartridge Slot 3 DMA0/DMA2: Wireless interrupt, DMA1/DMA3: GBA Cartridge Slot |
Bit0-31 Filldata |
| DS Timers |
| DS Interrupts |
Bit 0-6 Same as GBA Bit 7 NDS7 only: SIO/RCNT/RTC (Real Time Clock) Bit 8.. Same as GBA Bit 16 IPC Sync Bit 17 IPC Send FIFO Empty Bit 18 IPC Recv FIFO Not Empty Bit 19 Game Card Data Transfer Completion Bit 20 Game Card IREQ_MC Bit 21 NDS9 only: Geometry Command FIFO Bit 22 NDS7 only: Screens unfolding Bit 23 NDS7 only: SPI bus Bit 24 NDS7 only: Wifi Bit 25-31 Not used |
Bit 0-31 Pointer to IRQ Handler |
Bit 0-31 IRQ Flags (same format as IE/IF registers) |
| DS Maths |
0-1 Division Mode (0-2=See below) (3=Reserved; same as Mode 1) 2-13 Not used 14 Division by zero (0=Okay, 1=Division by zero error; 64bit Denom=0) 15 Busy (0=Ready, 1=Busy) (Execution time see below) |
Mode Numer / Denom = Result, Remainder ; Cycles 0 32bit / 32bit = 32bit , 32bit ; 18 clks 1 64bit / 32bit = 64bit , 32bit ; 34 clks 2 64bit / 64bit = 64bit , 64bit ; 34 clks |
DIV0 --> REMAIN=NUMER, RESULT=+/-1 (with sign opposite of NUMER) -MAX/-1 --> RESULT=-MAX (instead +MAX) |
0 Mode (0=32bit input, 1=64bit input) 1-14 Not used 15 Busy (0=Ready, 1=Busy) (Execution time is 13 clks, in either Mode) |
| DS Inter Process Communication (IPC) |
Bit Dir Expl. 0-3 R Data input from IPCSYNC Bit8-11 of remote CPU (00h..0Fh) 4-7 - Not used 8-11 R/W Data output to IPCSYNC Bit0-3 of remote CPU (00h..0Fh) 12 - Not used 13 W Send IRQ to remote CPU (0=None, 1=Send IRQ) 14 R/W Enable IRQ from remote CPU (0=Disable, 1=Enable) 15-31 - Not used |
Bit Dir Expl. 0 R Send Fifo Empty Status (0=Not Empty, 1=Empty) 1 R Send Fifo Full Status (0=Not Full, 1=Full) 2 R/W Send Fifo Empty IRQ (0=Disable, 1=Enable) 3 W Send Fifo Clear (0=Nothing, 1=Flush Send Fifo) 4-7 - Not used 8 R Receive Fifo Empty (0=Not Empty, 1=Empty) 9 R Receive Fifo Full (0=Not Full, 1=Full) 10 R/W Receive Fifo Not Empty IRQ (0=Disable, 1=Enable) 11-13 - Not used 14 R/W Error, Read Empty/Send Full (0=No Error, 1=Error/Acknowledge) 15 R/W Enable Send/Receive Fifo (0=Disable, 1=Enable) 16-31 - Not used |
Bit0-31 Send Fifo Data (max 16 words; 64bytes) |
Bit0-31 Receive Fifo Data (max 16 words; 64bytes) |
| DS Keypad |
0 Button X (0=Pressed, 1=Released) 1 Button Y (0=Pressed, 1=Released) 3 DEBUG button (0=Pressed, 1=Released/None such) 6 Pen down (0=Pressed, 1=Released/Disabled) 7 Hinge/folded (0=Open, 1=Closed) 2,4,5 Unknown / set 8..15 Unknown / zero |
| DS Absent Link Port |
NDS7 4000128h SIOCNT Bit15 "CKUP" New Bit in NORMAL/MULTI/UART mode (R/W) NDS7 4000128h SIOCNT Bit14 "N/A" Removed IRQ Bit in UART mode (?) NDS7 400012Ah SIOCNT_H Bit14 "TFEMP" New Bit (R/W) NDS7 400012Ah SIOCNT_H Bit15 "RFFUL" New Bit (always zero?) NDS7 400012Ch SIOSEL Bit0 "SEL" New Bit (always zero?) NDS7 4000140h JOYCNT Bit7 "MOD" New Bit (R/W) |
NDS9 4000120h SIODATA32 Bit0-31 Data (always zero?) NDS9 4000128h SIOCNT Bit2 "TRECV" New Bit (always zero?) NDS9 4000128h SIOCNT Bit3 "TSEND" New Bit (always zero?) NDS9 400012Ch SIOSEL Bit0 "SEL" New Bit (always zero?) |
| DS Real-Time Clock (RTC) |
Bit Expl. 0 Data I/O (0=Low, 1=High) 1 Clock Out (0=Low, 1=High) 2 Select Out (0=Low, 1=High/Select) 4 Data Direction (0=Read, 1=Write) 5 Clock Direction (should be 1=Write) 6 Select Direction (should be 1=Write) 3,8-11 Unused I/O Lines 7,12-15 Direction for Bit3,8-11 (usually 0) |
Init CS=LOW and /SCK=HIGH, and wait at least 1us Switch CS=HIGH, and wait at least 1us Send the Command byte (see bit-transfer below) Send/receive Parameter byte(s) associated with the command (see below) Switch CS to LOW |
Output /SCK=LOW and SIO=databit (when writing), then wait at least 5us Output /SCK=HIGH, wait at least 5us, then read SIO=databit (when reading) In either direction, data is output on (or immediately after) falling edge. |
Command Register
Fwd Rev
0-3 7-4 Fixed Code (must be 06h = 0110b) (same for Fwd and Rev)
4-6 3-1 Command
Fwd Rev Parameter bytes (read/write access)
0 0 1 byte, status register 1
4 1 1 byte, status register 2
2 2 7 bytes, date & time (year,month,day,day_of_week,hour,minute, second)
6 3 3 bytes, time (hour,minute,second)
1* 4* 1 byte, int1, frequency duty setting
1* 4* 3 bytes, int1, alarm time 1 (day_of_week, hour, minute)
5 5 3 bytes, int2, alarm time 2 (day_of_week, hour, minute)
3 6 1 byte, clock adjustment register
7 7 1 byte, free register
7 0 Parameter Read/Write Access (0=Write, 1=Read)
|
Status Register 1
0 W Reset (0=Normal, 1=Reset)
1 R/W 12/24 hour mode (0=12 hour, 1=24 hour)
2-3 R/W General purpose bits
4 R Interrupt 1 Flag (1=Yes) ;auto-cleared on read
5 R Interrupt 2 Flag (1=Yes) ;auto-cleared on read
6 R Power Low Flag (0=Normal, 1=Power is/was low) ;auto-cleared on read
7 R Power Off Flag (0=Normal, 1=Power was off) ;auto-cleared on read
Power off indicates that the battery was removed or fully discharged,
all registers are reset to 00h (or 01h), and must be re-initialized.
Status Register 2
0-3 R/W INT1 Mode/Enable
0000b Disable
0x01b Selected Frequency steady interrupt
0x10b Per-minute edge interrupt
0011b Per-minute steady interrupt 1 (duty 30.0 secomds)
0100b Alarm 1 interrupt
0111b Per-minute steady interrupt 2 (duty 0.0079 secomds)
1xxxb 32kHz output
4-5 R/W General purpose bits
6 R/W INT2 Enable
0b Disable
1b Alarm 2 interrupt
7 R/W Test Mode (0=Normal, 1=Test, don't use) (cleared on Reset)
Clock Adjustment Register (to compensate oscillator inaccuracy)
0-7 R/W Adjustment (00h=Normal, no adjustment)
Free Register
0-7 R/W General purpose bits
|
Year Register
0-7 R/W Year (BCD 00h..99h = 2000..2099)
Month Register
0-4 R/W Month (BCD 01h..12h = January..December)
5-7 - Not used (always zero)
Day Register
0-5 R/W Day (BCD 01h..28h,29h,30h,31h, range depending on month/year)
6-7 - Not used (always zero)
Day of Week Register (septenary counter)
0-2 R/W Day of Week (00h..06h, custom assignment, usually 0=Monday?)
3-7 - Not used (always zero)
|
Hour Register
0-5 R/W Hour (BCD 00h..23h in 24h mode, or 00h..11h in 12h mode)
6 * AM/PM (0=AM before noon, 1=PM after noon)
* 24h mode: AM/PM flag is read only (PM=1 if hour = 12h..23h)
* 12h mode: AM/PM flag is read/write-able
* 12h mode: Observe that 12 o'clock is defined as 00h (not 12h)
7 - Not used (always zero)
Minute Register
0-6 R/W Minute (BCD 00h..59h)
7 - Not used (always zero)
Second Register
0-6 R/W Minute (BCD 00h..59h)
7 - Not used (always zero)
|
Alarm1 and Alarm2 Day of Week Registers (INT1 and INT2 each)
0-2 R/W Day of Week (00h..06h)
3-6 - Not used (always zero)
7 R/W Compare Enable (0=Alarm every day, 1=Alarm only at specified day)
Alarm1 and Alarm2 Hour Registers (INT1 and INT2 each)
0-5 R/W Hour (BCD 00h..23h in 24h mode, or 00h..11h in 12h mode)
6 R/W AM/PM (0=AM, 1=PM) (must be correct even in 24h mode?)
7 R/W Compare Enable (0=Alarm every hour, 1=Alarm only at specified hour)
Alarm1 and Alarm2 Minute Registers (INT1 and INT2 each)
0-6 R/W Minute (BCD 00h..59h)
7 R/W Compare Enable (0=Alarm every min, 1=Alarm only at specified min)
Selected Frequency Steady Interrupt Register (INT1 only) (when Stat2/Bit2=0)
0 R/W Enable 1Hz Frequency (0=Disable, 1=Enable)
1 R/W Enable 2Hz Frequency (0=Disable, 1=Enable)
2 R/W Enable 4Hz Frequency (0=Disable, 1=Enable)
3 R/W Enable 8Hz Frequency (0=Disable, 1=Enable)
4 R/W Enable 16Hz Frequency (0=Disable, 1=Enable)
The signals are ANDed when two or more frequencies are enabled,
ie. the /INT signal gets LOW when either of the signals is LOW.
5-7 R/W General purpose bits
|
1 /INT 8 VDD 2 XOUT 7 SIO 3 XIN 6 /SCK 4 GND 5 CS |
| DS Serial Peripheral Interface Bus (SPI) |
0-1 Baudrate (0=4MHz/Firmware, 1=2MHz/Touchscr, 2=1MHz/Powerman., 3=512KHz) 2-6 Not used (Zero) 7 Busy Flag (0=Ready, 1=Busy) (presumably Read-only) 8-9 Device Select (0=Powerman., 1=Firmware, 2=Touchscr, 3=Reserved) 10 Transfer Size (0=8bit/Normal, 1=16bit/Bugged) 11 Chipselect Hold (0=Deselect after transfer, 1=Keep selected) 12-13 Not used (Zero) 14 Interrupt Request (0=Disable, 1=Enable) 15 SPI Bus Enable (0=Disable, 1=Enable) |
0-7 Data 8-15 Not used (always zero, even in bugged-16bit mode) |
| DS Touch Screen Controller (TSC) |
0-1 Power Down Mode Select 2 Reference Select (0=Differential, 1=Single-Ended) 3 Conversion Mode (0=12bit, max CLK=2MHz, 1=8bit, max CLK=3MHz) 4-6 Channel Select (0-7, see below) 7 Start Bit (Must be set to access Control Byte) |
0 Temperature 0 (requires calibration, step 2.1mV per 1'C accuracy) 1 Touchscreen Y-Position (somewhat 0B0h..F20h, or FFFh=released) 2 Battery Voltage (not used, connected to GND in NDS, always 000h) 3 Touchscreen Z1-Position (diagonal position for pressure measurement) 4 Touchscreen Z2-Position (diagonal position for pressure measurement) 5 Touchscreen X-Position (somewhat 100h..ED0h, or 000h=released) 6 AUX Input (connected to Microphone in the NDS) 7 Temperature 1 (difference to Temp 0, without calibration, 2'C accuracy) |
Mode /PENIRQ VREF ADC Recommended use 0 Enabled Auto Auto Differential Mode (Touchscreen, Penirq) 1 Disabled Off On Single-Ended Mode (Temperature, Microphone) 2 Enabled On Off Don't use 3 Disabled On On Don't use |
scr.x = (adc.x-adc.x1) * (scr.x2-scr.x1) / (adc.x2-adc.x1) + (scr.x1-1) scr.y = (adc.y-adc.y1) * (scr.y2-scr.y1) / (adc.y2-adc.y1) + (scr.y1-1) |
Rtouch = (Rx_plate*Xpos*(Z2pos/Z1pos-1))/4096 Rtouch = (Rx_plate*Xpos*(4096/Z1pos-1)-Ry_plate*(1-Ypos))/4096 |
touchval = Xpos*(Z2pos/Z1pos-1) |
K = (CAL.TP0-ADC.TP0) * 0.4 + CAL.KELVIN |
K = (ADC.TP1-ADC.TP0) * 8568 / 4096 |
Celsius: C = (K-273.15) Fahrenheit: F = (K-273.15)*9/5+32 Reaumur: R = (K-273.15)*4/5 Rankine: X = (K)*9/5 |
________ VCC 1|o |16 DCLK X+ 2| |15 /CS Y+ 3| TSC |14 DIN X- 4| 2046 |13 BUSY Y- 5| |12 DOUT GND 6| |11 /PENIRQ VBAT 7| |10 IOVDD AUX 8|________|9 VREF |
| DS Power Management |
0 Enable Flag for both LCDs (0=Disable) (Prohibited, see notes) 1 2D Graphics Engine A (0=Disable) (Ports 008h-05Fh, Pal 5000000h) 2 3D Rendering Engine (0=Disable) (Ports 320h-3FFh) 3 3D Geometry Engine (0=Disable) (Ports 400h-6FFh) 4-8 Not used 9 2D Graphics Engine B (0=Disable) (Ports 1008h-105Fh, Pal 5000400h) 10-14 Not used 15 Display Swap (0=Send Display A to Lower Screen, 1=To Upper Screen) |
Bit Expl. 0 Sound Speakers (0=Disable, 1=Enable) (Initial setting = 1) 1 Wifi (0=Disable, 1=Enable) (Initial setting = 0) 2-31 Not used |
Bit Expl. 0-2 Wifi WS0 Control (0-7) (Ports 4800000h-4807FFFh) 3-5 Wifi WS1 Control (0-7) (Ports 4808000h-480FFFFh) 4-15 Not used (zero) |
Bit Expl. 0-5 Not used (zero) 6-7 Power Down Mode (0=No function, 1=Enter GBA Mode, 2=Halt, 3=Sleep) |
Bit Expl. 0 Post Boot Flag (0=Boot in progress, 1=Boot completed) 1 NDS7: Not used (always zero), NDS9: Bit1 is read-writeable 2-7 Not used (always zero) |
Index Register
Bit0-2 Register Select (0..3) (0..4 for DS-Lite)
Bit3-6 Not used
Bit7 Register Direction (0=Write, 1=Read)
Register 0 - Powermanagement Control (R/W)
Bit0 Sound Amplifier Enable (0=Disable, 1=Enable)
(Old-DS: Disabled: Sound is very silent, but still audible)
(DS-Lite: Disabled: Sound is NOT audible)
Bit1 Sound Amplifier Mute (0=Normal, 1=Mute) (Old-DS Only, not DS-Lite)
(Old-DS: Muted: Sound is NOT audible, that works only if Bit0=1)
(DS-Lite: Not used, Bit1 is always zero)
Bit2 Lower Backlight (0=Disable, 1=Enable)
Bit3 Upper Backlight (0=Disable, 1=Enable)
Bit4 Power LED Blink Enable (0=Always ON, 1=Blinking OFF/ON)
Bit5 Power LED Blink Speed (0=Slow, 1=Fast) (only if Blink enabled)
Bit6 DS System Power (0=Normal, 1=Shut Down)
Bit7 Not used (always 0)
Register 1 - Battery Status (R)
Bit0 Battery Power LED Status (0=Power Good/Green, 1=Power Low/Red)
Bit1-7 Not used
Register 2 - Microphone Amplifier Control (R/W)
Bit0 Amplifier (0=Disable, 1=Enable)
Bit1-7 Not used (always 0)
Register 3 - Microphone Amplifier Gain Control (R/W)
Bit0-1 Gain (0..3=Gain 20, 40, 80, 160)
Bit2-7 Not used (always 0)
Register 4 - DS-Lite Only - Backlight Levels/Power Source (R/W)
Bit0-1 Backlight Brightness (0..3=Low,Med,High,Max) (R/W)
(when bit2+3 are both set, then reading bit0-1 always returns 3)
Bit2 Force Max Brightness when Bit3=1 (0=No, 1=Yes) (R/W)
Bit3 External Power Present (0=No, 1=Yes) (Read-Only)
Bit4-7 Unknown (Always 4) (Read-Only)
|
| DS Main Memory Control |
LDRH R0,[27FFFFEh] ;read one value STRH R0,[27FFFFEh] ;write should be same value as above STRH R0,[27FFFFEh] ;write should be same value as above STRH R0,[27FFFFEh] ;write any value STRH R0,[27FFFFEh] ;write any value LDRH R0,[2400000h+CR*2] ;read, address-bits are defining new CR value |
Bit Expl.
0-6 Reserved (Must be 7Fh)
7 Write Control
0=WE Single Clock Pulse Control without Write Suspend Function
1=WE Level Control with Write Suspend Function)
Burst Read/Single Write is not supported at WE Single Clock Mode.
8 Reserved (Must be 1)
9 Valid Clock Edge (0=Falling Edge, 1=Rising Edge)
10 Single Write (0=Burst Read/Burst Write, 1=Burst Read/Single Write)
11 Burst Sequence (0=Reserved, 1=Sequential)
12-14 Read Latency (1=3 clocks, 2=4 clocks, 3=5 clocks, other=Reserved)
15 Mode
0=Synchronous: Burst Read, Burst Write
1=Asynchronous: Page Read, Normal Write
In Mode 1 (Async), only the Partial Size bits are used,
all other bits, CR bits 0..18, must be "1".
16-18 Burst Length (2=8 Words, 3=16Words, 7=Continous, other=Reserved)
19-20 Partial Size (0=1MB, 1=512KB, 2=Reserved, 3=Deep/0 bytes)
|
STRH 2000h,[4000204h] LDRH R0,[27FFFFEh] STRH R0,[27FFFFEh] STRH R0,[27FFFFEh] STRH FFDFh,[27FFFFEh] STRH E732h,[27FFFFEh] LDRH R0,[27E57FEh] STRH 6000h,[4000204h] |
| DS Cartridges, Encryption, Firmware |
| DS Cartridge Header |
Address Bytes Expl.
000h 12 Game Title (Uppercase ASCII, padded with 00h)
00Ch 4 Gamecode (Uppercase ASCII, NTR-<code>) (0=homebrew)
010h 2 Makercode (Uppercase ASCII, eg. "01"=Nintendo) (0=homebrew)
012h 1 Unitcode (00h=Nintendo DS)
013h 1 Encryption Seed Select (00..07h, usually 00h)
014h 1 Devicecapacity (Chipsize = 128KB SHL nn) (eg. 7 = 16MB)
015h 9 Reserved (zero filled)
01Eh 1 ROM Version (usually 00h)
01Fh 1 Autostart (Bit2: Skip "Press Button" after Health and Safety)
(Also skips bootmenu, even in Manual mode & even Start pressed)
020h 4 ARM9 rom_offset (4000h and up, align 1000h)
024h 4 ARM9 entry_address (2000000h..23BFE00h)
028h 4 ARM9 ram_address (2000000h..23BFE00h)
02Ch 4 ARM9 size (max 3BFE00h) (3839.5KB)
030h 4 ARM7 rom_offset (8000h and up)
034h 4 ARM7 entry_address (2000000h..23BFE00h, or 37F8000h..3807E00h)
038h 4 ARM7 ram_address (2000000h..23BFE00h, or 37F8000h..3807E00h)
03Ch 4 ARM7 size (max 3BFE00h, or FE00h) (3839.5KB, 63.5KB)
040h 4 File Name Table (FNT) offset
044h 4 File Name Table (FNT) size
048h 4 File Allocation Table (FAT) offset
04Ch 4 File Allocation Table (FAT) size
050h 4 File ARM9 overlay_offset
054h 4 File ARM9 overlay_size
058h 4 File ARM7 overlay_offset
05Ch 4 File ARM7 overlay_size
060h 4 Port 40001A4h setting for normal commands (usually 00586000h)
064h 4 Port 40001A4h setting for KEY1 commands (usually 001808F8h)
068h 4 Icon_title_offset (0=None) (8000h and up)
06Ch 2 Secure Area Checksum, CRC-16 of [ [20h]..7FFFh]
06Eh 2 Secure Area Loading Timeout (usually 051Eh)
070h 4 ARM9 Auto Load List RAM Address (?)
074h 4 ARM7 Auto Load List RAM Address (?)
078h 8 Secure Area Disable (by encrypted "NmMdOnly") (usually zero)
080h 4 Total Used ROM size (remaining/unused bytes usually FFh-padded)
084h 4 ROM Header Size (4000h)
088h 38h Reserved (zero filled)
0C0h 9Ch Nintendo Logo (compressed bitmap, same as in GBA Headers)
15Ch 2 Nintendo Logo Checksum, CRC-16 of [0C0h-15Bh], fixed CF56h
15Eh 2 Header Checksum, CRC-16 of [000h-15Dh]
160h 4 Debug rom_offset (0=none) (8000h and up) ;only if debug
164h 4 Debug size (0=none) (max 3BFE00h) ;version with
168h 4 Debug ram_address (0=none) (2400000h..27BFE00h) ;SIO and 8MB
16Ch 4 Reserved (zero filled) (transferred, and stored, but not used)
170h 90h Reserved (zero filled) (transferred, but not stored in RAM)
|
| DS Cartridge Secure Area |
Value Expl. "encryObj" raw ID before encryption (raw ROM-image) (encrypted) encrypted ID after encryption (encrypted ROM-image) "encryObj" raw ID after decryption (verified by BIOS boot code) E7FFDEFFh,E7FFDEFFh destroyed ID (overwritten by BIOS after verify) |
000h..007h Secure Area ID (see above) 008h..00Dh Fixed (FFh,DEh,FFh,E7h,FFh,DEh) 00Eh..00Fh CRC16 across following 7E0h bytes, ie. [010h..7FFh] 010h..7FDh Unknown/random values, mixed with some THUMB SWI calls 7FEh..7FFh Fixed (00h,00h) |
| DS Cartridge Icon/Title |
Addr Siz Expl.
000h 2 Version (0001h)
002h 2 CRC16 across entries 020h..83Fh
004h 1Ch Reserved (zero-filled)
020h 200h Icon Bitmap (32x32 pix) (4x4 tiles, each 4x8 bytes, 4bit depth)
220h 20h Icon Palette (16 colors, 16bit, range 0000h-7FFFh)
(Color 0 is transparent, so the 1st palette entry is ignored)
240h 100h Title 0 Japanese (128 characters, 16bit Unicode)
340h 100h Title 1 English ("")
440h 100h Title 2 French ("")
540h 100h Title 3 German ("")
640h 100h Title 4 Italian ("")
740h 100h Title 5 Spanish ("")
840h ? (Maybe newer/chinese firmware do also support chinese title?)
840h - End of Icon/Title structure (next 1C0h bytes usually FFh-filled)
|
| DS Cartridge Protocol |
0000h-0FFFh Header (unencrypted) 1000h-3FFFh Not read-able (zero filled in ROM-images) 4000h-7FFFh Secure Area, 16KBytes (first 2Kbytes with extra encryption) 8000h-... Main Data Area |
Command/Params Expl. Cmd Reply Len -- Unencrypted Load -- 9F00000000000000h Dummy (read HIGH-Z bytes) RAW RAW 2000h 0000000000000000h Get Cartridge Header RAW RAW 200h 9000000000000000h 1st Get ROM Chip ID RAW RAW 4 00aaaaaaaa000000h Unencrypted Data (debug ver only) RAW RAW 200h 3Ciiijjjxkkkkkxxh Activate KEY1 Encryption Mode RAW RAW 0 -- Secure Area Load -- 4llllmmmnnnkkkkkh Activate KEY2 Encryption Mode KEY1 FIX 910h+0 1lllliiijjjkkkkkh 2nd Get ROM Chip ID KEY1 KEY2 910h+4 xxxxxxxxxxxxxxxxh Invalid - Get KEY2 Stream XOR 00h KEY1 KEY2 910h+... 2bbbbiiijjjkkkkkh Get Secure Area Block (4Kbytes) KEY1 KEY2 910h+11A8h 6lllliiijjjkkkkkh Optional KEY2 Disable KEY1 KEY2 910h+? Alllliiijjjkkkkkh Enter Main Data Mode KEY1 KEY2 910h+0 -- Main Data Load -- B7aaaaaaaa000000h Encrypted Data Read KEY2 KEY2 200h B800000000000000h 3rd Get ROM Chip ID KEY2 KEY2 4 xxxxxxxxxxxxxxxxh Invalid - Get KEY2 Stream XOR 00h KEY2 KEY2 ... |
aaaaaaaa 32bit ROM address (command B7 can access only 8000h and up) bbbb Secure Area Block number (0004h..0007h for addr 4000h..7000h) x,xx Random, not used in further commands iii,jjj,llll Random, must be SAME value in further commands kkkkk Random, must be INCREMENTED after FURTHER commands mmm,nnn Random, used as KEY2-encryption seed |
1st byte - Manufacturer (C2h = Macronix) 2nd byte - Chip size in megabytes minus 1 (eg. 0Fh = 16MB) 3rd byte - Reserved/zero (probably upper bits of chip size) 4th byte - Bit7: Secure Area Block transfer mode (8x200h or 1000h) |
| DS Cartridge Backup |
Type Total Size Page Size Chip/Example Game/Example EEPROM 0.5K bytes 16 bytes ST M95040-W (eg. Metroid Demo) EEPROM 8K bytes 32 bytes ST M95640-W (eg. Super Mario DS) EEPROM 64K bytes 128 bytes ST M95512-W (eg. Downhill Jam) FLASH 256K bytes 256 bytes ST M45PE20 (eg. Skateland) FLASH 512K bytes 256 bytes ST M25PE40? (eg. which/any games?) FRAM 8K bytes No limit ? (eg. which/any games?) FRAM 32K bytes No limit Ramtron FM25L256? (eg. which/any games?) |
Type Max Writes per Page Data Retention EEPROM 100,000 40 years FLASH 100,000 20 years FRAM No limit 10 years |
06h WREN Write Enable Cmd, no parameters 04h WRDI Write Disable Cmd, no parameters 05h RDSR Read Status Register Cmd, read repeated status value(s) 01h WRSR Write Status Register Cmd, write one-byte value 9Fh RDID Read JEDEC ID (not supported on EEPROM/FLASH, returns FFh-bytes) |
03h RDLO Read from Memory 000h-0FFh Cmd, addr lsb, read byte(s) 0Bh RDHI Read from Memory 100h-1FFh Cmd, addr lsb, read byte(s) 02h WRLO Write to Memory 000h-0FFh Cmd, addr lsb, write 1..MAX byte(s) 0Ah WRHI Write to Memory 100h-1FFh Cmd, addr lsb, write 1..MAX byte(s) |
03h RD Read from Memory Cmd, addr msb,lsb, read byte(s) 02h WR Write to Memory Cmd, addr msb,lsb, write 1..MAX byte(s) |
0 WIP Write in Progress (1=Busy) (Read only) (always 0 for FRAM chips) 1 WEL Write Enable Latch (1=Enable) (Read only, except by WREN,WRDI) 2-3 WP Write Protect (0=None, 1=Upper quarter, 2=Upper Half, 3=All memory) |
4-7 ONEs Not used (all four bits are always set to "1" each) |
4-6 ZERO Not used (all three bits are always set to "0" each) 7 SRWD Status Register Write Disable (0=Normal, 1=Lock) (Only if /W=LOW) |
RDSR RDID Type (bus-width) FFh, FFh,FFh,FFh None (none) F0h, FFh,FFh,FFh EEPROM (with 8+1bit address bus) 00h, FFh,FFh,FFh EEPROM/FRAM (with 16bit address bus) 00h, xxh,xxh,xxh FLASH (usually with 24bit address bus) |
Pin Name Expl. 1 /S Chip Select 2 Q Data Out 3 /W Write-Protect (not used in NDS, wired to VCC) 4 VSS Ground 5 D Data In 6 C Clock 7 /HOLD Transfer-pause (not used in NDS, wired to VCC) 8 VCC Supply 2.5 to 5.5V for M95xx0-W |
| DS Cartridge I/O Ports |
0-1 SPI Baudrate (0=4MHz/Default, 1=2MHz, 2=1MHz, 3=512KHz) 2-5 Not used (always zero) 6 SPI Hold Chipselect (0=Deselect after transfer, 1=Keep selected) 7 SPI Busy (0=Ready, 1=Busy) (presumably Read-only) 8-12 Not used (always zero) 13 NDS Slot Mode (0=Parallel/ROM, 1=Serial/SPI-Backup) 14 Transfer Ready IRQ (0=Disable, 1=Enable) (for ROM, not for AUXSPI) 15 NDS Slot Enable (0=Disable, 1=Enable) (for both ROM and AUXSPI) |
0-7 Data 8-15 Not used (always zero) |
Bit Expl. 0-12 KEY1 length part1 (0-1FFFh) (forced min 08F8h by BIOS) 13 KEY2 encrypt data (0=Disable, 1=Enable KEY2 Encryption for Data) 14 "SE" Unknown? (usually same as Bit13) 15 KEY2 Apply Seed (0=No change, 1=Apply Encryption Seed) (Write only) 16-21 KEY1 length part2 (0-3Fh) (forced min 18h by BIOS) 22 KEY2 encrypt cmd (0=Disable, 1=Enable KEY2 Encryption for Commands) 23 Data-Word Status (0=Busy, 1=Ready/DRQ) (Read-only) 24-26 Data Block size (0=None, 1..6=100h SHL (1..6) bytes, 7=4 bytes) 27 Transfer CLK rate (0=6.7MHz=33.51MHz/5, 1=4.2MHz=33.51MHz/8) 28 Secure Area Mode (0=Normal, 1=Other) 29 "RESB" Unknown (always 1 ?) (not read/write-able) 30 "WR" Unknown (always 0 ?) (read/write-able) 31 Block Start/Status (0=Ready, 1=Start/Busy) (IRQ See 40001A0h/Bit14) |
0-7 1st Command Byte (at 40001A8h) (eg. B7h) (MSB) 8-15 2nd Command Byte (at 40001A9h) (eg. addr bit 24-31) 16-23 3rd Command Byte (at 40001AAh) (eg. addr bit 16-23) 24-31 4th Command Byte (at 40001ABh) (eg. addr bit 8-15) (when aligned=even) 32-39 5th Command Byte (at 40001ACh) (eg. addr bit 0-7) (when aligned=00h) 40-47 6th Command Byte (at 40001ADh) (eg. 00h) 48-57 7th Command Byte (at 40001AEh) (eg. 00h) 56-63 8th Command Byte (at 40001AFh) (eg. 00h) (LSB) |
0-7 1st received Data Byte (at 4100010h) 8-15 2nd received Data Byte (at 4100011h) 16-23 3rd received Data Byte (at 4100012h) 24-31 4th received Data Byte (at 4100013h) |
For more info: DS Encryption by Random Seed (KEY2) |
| DS Cartridge NitroROM File System |
Addr Size Expl. 00h 4 Start address of file in ROM (8000h and up) (0=Unused Entry) 04h 4 End address of file in ROM (Start+Len...-1?) (0=Unused Entry) |
Addr Size Expl. 00h 4 Offset to Sub-table (originated at FNT base) 04h 2 ID of first file in Sub-table (0000h..EFFFh) |
06h 2 Total Number of directories (1..4096) |
06h 2 ID of parent directory (F000h..FFFEh) |
Addr Size Expl.
00h 1 Type/Length
01h..7Fh File Entry (Length=1..127, without ID field)
81h..FFh Sub-Directory Entry (Length=1..127, plus ID field)
00h End of Sub-Table
80h Reserved
01h LEN File or Sub-Directory Name, case-sensitive, without any ending
zero, ASCII 20h..7Eh, except for characters \/?"<>*:;|
|
LEN+1 2 Sub-Directory ID (F001h..FFFFh) ;see FNT+(ID AND FFFh)*8 |
Addr Size Expl. 00h 4 Overlay ID 04h 4 RAM Address ;Point at which to load 08h 4 RAM Size ;Amount to load 0Ch 4 BSS Size ;Size of BSS data region 10h 4 Static initialiser start address 14h 4 Static initialiser end address 18h 4 File ID (0000h..EFFFh) 1Ch 4 Reserved (zero) |
| DS Cartridge PassMe/PassThrough |
Addr Siz Patch 004h 4 E59FF018h ;opcode LDR PC,[027FFE24h] at 27FFE04h 01Fh 1 04h ;set autostart bit 022h 1 01h ;set ARM9 rom offset to nn01nnnnh (above secure area) 024h 4 027FFE04h ;patch ARM9 entry address to endless loop 034h 4 080000C0h ;patch ARM7 entry address in GBA slot 15Eh 2 nnnnh ;adjust header crc16 |
0A0h GBA-style Title ("DSBooter")
0ACh GBA-style Gamecode ("PASS")
0C0h ARM7 Entrypoint (32bit ARM code)
|
| DS Cartridge GBA Slot |
| DS Cart Rumble Pak |
VCC, GND, /WR, AD1, and IRQ (grounded) |
for i=0 to 0FFFh
if halfword[8000000h+i*2]<>(i and FFFDh) then <not_a_ds_rumble_pak>
next i
|
rumble_state = rumble_state xor 0002h halfword[8000000h]=rumble_state |
| DS Cart Unknown Add-Ons |
| DS Cart Cheat Action Replay DS |
ABCD-NNNNNNNN Game ID ;ASCII Gamecode [00Ch] and CRC32 across [0..1FFh] 00000000 XXXXXXXX manual hook codes (rarely used) (default is auto hook) 0XXXXXXX YYYYYYYY word[XXXXXXX+offset] = YYYYYYYY 1XXXXXXX 0000YYYY half[XXXXXXX+offset] = YYYY 2XXXXXXX 000000YY byte[XXXXXXX+offset] = YY 3XXXXXXX YYYYYYYY IF YYYYYYYY > word[XXXXXXX] ;unsigned ;\ 4XXXXXXX YYYYYYYY IF YYYYYYYY < word[XXXXXXX] ;unsigned ; for v1.54, 5XXXXXXX YYYYYYYY IF YYYYYYYY = word[XXXXXXX] ; when X=0, 6XXXXXXX YYYYYYYY IF YYYYYYYY <> word[XXXXXXX] ; uses 7XXXXXXX ZZZZYYYY IF YYYY > ((not ZZZZ) AND half[XXXXXXX]) ; [offset] 8XXXXXXX ZZZZYYYY IF YYYY < ((not ZZZZ) AND half[XXXXXXX]) ; instead of 9XXXXXXX ZZZZYYYY IF YYYY = ((not ZZZZ) AND half[XXXXXXX]) ; [XXXXXXX] AXXXXXXX ZZZZYYYY IF YYYY <> ((not ZZZZ) AND half[XXXXXXX]) ;/ BXXXXXXX 00000000 offset = word[XXXXXXX+offset] C0000000 YYYYYYYY FOR loopcount=0 to YYYYYYYY ;execute Y+1 times C4000000 00000000 offset = address of the C4000000 code ;v1.54 C5000000 XXXXYYYY counter=counter+1, IF (counter AND YYYY) = XXXX ;v1.54 C6000000 XXXXXXXX [XXXXXXXX]=offset ;v1.54 D0000000 00000000 ENDIF D1000000 00000000 NEXT loopcount D2000000 00000000 NEXT loopcount, and then FLUSH everything D3000000 XXXXXXXX offset = XXXXXXXX D4000000 XXXXXXXX datareg = datareg + XXXXXXXX D5000000 XXXXXXXX datareg = XXXXXXXX D6000000 XXXXXXXX word[XXXXXXXX+offset]=datareg, offset=offset+4 D7000000 XXXXXXXX half[XXXXXXXX+offset]=datareg, offset=offset+2 D8000000 XXXXXXXX byte[XXXXXXXX+offset]=datareg, offset=offset+1 D9000000 XXXXXXXX datareg = word[XXXXXXXX+offset] DA000000 XXXXXXXX datareg = half[XXXXXXXX+offset] DB000000 XXXXXXXX datareg = byte[XXXXXXXX+offset] ;bugged on pre-v1.54 DC000000 XXXXXXXX offset = offset + XXXXXXXX EXXXXXXX YYYYYYYY Copy YYYYYYYY parameter bytes to [XXXXXXXX+offset...] 44332211 88776655 parameter bytes 1..8 for above code (example) 0000AA99 00000000 parameter bytes 9..10 for above code (padded with 00s) FXXXXXXX YYYYYYYY Copy YYYYYYYY bytes from [offset..] to [XXXXXXX...] |
1st: Address used prior to launching game (eg. 23xxxxxh) 2nd: Address to write the hook at (inside the ARM7 executable) 3rd: Hook final address (huh?) 4th: Hook mode selection (0=auto, 1=mode1, 2=mode2) 5th: Opcode that replaces the hooked one (eg. E51DE004h) 6th: Address to store important stuff (default 23FE000h) 7th: Address to store the code handler (default 23FE074h) 8th: Address to store the code list (default 23FE564h) 9th: Must be 1 (00000001h) |
| DS Cart Cheat Codebreaker DS |
---Initialization--- 0000CR16 GAMECODE Specify Game ID, use Encrypted codes 8000CR16 GAMECODE Specify Game ID, use Unencrypted codes BEEFC0DE XXXXXXXX Change Encryption Keys A0XXXXXX YYYYYYYY Bootup-Hook 1, X=Address, Y=Value A8XXXXXX YYYYYYYY Bootup-Hook 2, X=Address, Y=Value F0XXXXXX TYYYYYYY Code-Hook 1 (T=Type,Y=CheatEngineAddr,X=HookAddr) F8XXXXXX TPPPPPPP Code-Hook 2 (T=Type,X=CheatEngineHookAddr,P=Params) ---General codes--- 00XXXXXX 000000YY [X]=YY 10XXXXXX 0000YYYY [X]=YYYY 20XXXXXX YYYYYYYY [X]=YYYYYYYY 60XXXXXX 000000YY ZZZZZZZZ 00000000 [[X]+Z]=YY 60XXXXXX 0000YYYY ZZZZZZZZ 10000000 [[X]+Z]=YYYY 60XXXXXX YYYYYYYY ZZZZZZZZ 20000000 [[X]+Z]=YYYYYYYY 30XXXXXX 000000YY [X]=[X] + YY 30XXXXXX 0001YYYY [X]=[X] + YYYY 38XXXXXX YYYYYYYY [X]=[X] + YYYYYYYY 70XXXXXX 000000YY [X]=[X] OR YY 70XXXXXX 001000YY [X]=[X] AND YY 70XXXXXX 002000YY [X]=[X] XOR YY 70XXXXXX 0001YYYY [X]=[X] OR YYYY 70XXXXXX 0011YYYY [X]=[X] AND YYYY 70XXXXXX 0021YYYY [X]=[X] XOR YYYY ---Memory fill/copy--- 40XXXXXX 2NUMSTEP 000000YY 000000ZZ byte[X+(0..NUM-1)*STEP*1]=Y+(0..NUM-1)*Z 40XXXXXX 1NUMSTEP 0000YYYY 0000ZZZZ half[X+(0..NUM-1)*STEP*2]=Y+(0..NUM-1)*Z 40XXXXXX 0NUMSTEP YYYYYYYY ZZZZZZZZ word[X+(0..NUM-1)*STEP*4]=Y+(0..NUM-1)*Z 50XXXXXX YYYYYYYY ZZZZZZZZ 00000000 copy Y bytes from [X] to [Z] ---Conditional codes (bugged)--- 60XXXXXX 000000YY ZZZZZZZZ 01c100VV IF [[X]+Z] .. VV THEN [[X]+Z]=YY 60XXXXXX 000000YY ZZZZZZZZ 01c0VVVV IF [[X]+Z] .. VVVV THEN [[X]+Z]=YY 60XXXXXX 0000YYYY ZZZZZZZZ 11c100VV IF [[X]+Z] .. VV THEN [[X]+Z]=YYYY 60XXXXXX 0000YYYY ZZZZZZZZ 11c0VVVV IF [[X]+Z] .. VVVV THEN [[X]+Z]=YYYY 60XXXXXX YYYYYYYY ZZZZZZZZ 21c100VV IF [[X]+Z] .. VV THEN [[X]+Z]=YYYYYYYY 60XXXXXX YYYYYYYY ZZZZZZZZ 21c0VVVV IF [[X]+Z] .. VVVV THEN [[X]+Z]=YYYYYYYY ---Conditional codes (working)--- D0XXXXXX NNc100YY IF [X] .. YY THEN exec max(1,NN) lines D0XXXXXX NNc0YYYY IF [X] .. YYYY THEN exec max(1,NN) lines |
0 IF [mem] = imm THEN ... 4 IF ([mem] AND imm) = 0 THEN ... 1 IF [mem] <> imm THEN ... 5 IF ([mem] AND imm) <> 0 THEN ... 2 IF [mem] < imm THEN ... (unsigned) 6 IF ([mem] AND imm) = imm THEN ... 3 IF [mem] > imm THEN ... (unsigned) 7 IF ([mem] AND imm) <> imm THEN ... |
GAMECODE Cartridge Header[00Ch] (32bit in reversed byte-order) CR16 Cartridge Header[15Eh] (16bit in normal byte-order) XXXXXX 27bit addr (actually 7 digits, XXXXXXX, overlaps 5bit code number) |
for i=4Fh to 00h
y=77628ECFh
if i>13h then y=59E5DC8Ah
if i>27h then y=054A7818h
if i>3Bh then y=B1BF0855h
address = (Key0-value) xor address
value = value - Key1 - (address ror 1Bh)
address = (address xor (value + y)) ror 13h
if (i>13h) then
if (i<=27h) or (i>3Bh) then x=Key2 xor Key1 xor Key0
else x=((Key2 xor Key1) and Key0) xor (Key1 and Key2)
value=value xor (x+y+address)
x = Secure[((i*4+00h) and FCh)+000h]
x = Secure[((i*4+34h) and FCh)+100h] xor x
x = Secure[((i*4+20h) and FCh)+200h] xor x
x = Secure[((i*4+08h) and FCh)+300h] xor x
address = address - (x ror 19h)
next i
|
Secure[0..7FFh] = Copy of the ENCRYPTED 1st 2Kbytes of the game's Secure Area Key0 = 0C2EAB3Eh, Key1 = E2AE295Dh, Key2 = E1ACC3FFh, Key3 = 70D3AF46h scramble_keys |
Key0 = Key0 + (XXXXXXXX ror 1Dh) Key1 = Key1 - (XXXXXXXX ror 05h) Key2 = Key2 xor (Key3 xor Key0) Key3 = Key3 xor (Key2 - Key1) scramble_keys |
for i=0 to FFh
y = byte(xlat_table[i])
Secure[i*4+000h] = (Secure[i*4+000h] xor Secure[y*4]) + Secure[y*4+100h]
Secure[i*4+400h] = (Secure[i*4+400h] xor Secure[y*4]) - Secure[y*4+200h]
next i
for i=0 to 63h
Key0 = Key0 xor (Secure[i*4] + Secure[i*4+190h])
Key1 = Key1 xor (Secure[i*4] + Secure[i*4+320h])
Key2 = Key2 xor (Secure[i*4] + Secure[i*4+4B0h])
Key3 = Key3 xor (Secure[i*4] + Secure[i*4+640h])
next i
Key0 = Key0 - Secure[7D0h]
Key1 = Key1 xor Secure[7E0h]
Key2 = Key2 + Secure[7F0h]
Key3 = Key3 xor Secure[7D0h] xor Secure[7F0h]
|
34h,59h,00h,32h,7Bh,D3h,32h,C9h,9Bh,77h,75h,44h,E0h,73h,46h,06h 0Bh,88h,B3h,3Eh,ACh,F2h,BAh,FBh,2Bh,56h,FEh,7Ah,90h,F7h,8Dh,BCh 8Bh,86h,9Ch,89h,00h,19h,CDh,4Ch,54h,30h,01h,93h,30h,01h,FCh,36h 4Dh,9Fh,FDh,D7h,32h,94h,AEh,BCh,2Bh,61h,DFh,B3h,44h,EAh,8Bh,A3h 2Bh,53h,33h,54h,42h,27h,21h,DFh,A9h,DDh,C0h,35h,58h,EFh,8Bh,33h B4h,D3h,1Bh,C7h,93h,AEh,32h,30h,F1h,CDh,A8h,8Ah,47h,8Ch,70h,0Ch 17h,4Eh,0Eh,A2h,85h,0Dh,6Eh,37h,4Ch,39h,1Fh,44h,98h,26h,D8h,A1h B6h,54h,F3h,AFh,98h,83h,74h,0Eh,13h,6Eh,F4h,F7h,86h,80h,ECh,8Eh EEh,4Ah,05h,A1h,F1h,EAh,B4h,D6h,B8h,65h,8Ah,39h,B3h,59h,11h,20h B6h,BBh,4Dh,88h,68h,24h,12h,9Bh,59h,38h,06h,FAh,15h,1Dh,40h,F0h 01h,77h,57h,F5h,5Dh,76h,E5h,F1h,51h,7Dh,B4h,FAh,7Eh,D6h,32h,4Fh 0Eh,C8h,61h,C1h,EEh,FBh,2Ah,FCh,ABh,EAh,97h,D5h,5Dh,E8h,FAh,2Ch 06h,CCh,86h,D2h,8Ch,10h,D7h,4Ah,CEh,8Fh,EBh,03h,16h,ADh,84h,98h F5h,88h,2Ah,18h,ACh,7Fh,F6h,94h,FBh,3Fh,00h,B6h,32h,A2h,ABh,28h 64h,5Ch,0Fh,C6h,23h,12h,0Ch,D2h,BAh,4Dh,A3h,F2h,C9h,86h,31h,57h 0Eh,F8h,ECh,E1h,A0h,9Ah,3Ch,65h,17h,18h,A0h,81h,D0h,DBh,D5h,AEh |
| DS Encryption by Gamecode/Idcode (KEY1) |
Y=[ptr+0]
X=[ptr+4]
FOR I=0 TO 0Fh (up), or FOR I=11h TO 02h (down)
Z=[keybuf+I*4] XOR X
X=[keybuf+048h+((Z SHR 24) AND FFh)*4]
X=[keybuf+448h+((Z SHR 16) AND FFh)*4] + X
X=[keybuf+848h+((Z SHR 8) AND FFh)*4] XOR X
X=[keybuf+C48h+((Z SHR 0) AND FFh)*4] + X
X=Y XOR X
Y=Z
NEXT I
[ptr+0]=X XOR [keybuf+40h], or [ptr+0]=X XOR [keybuf+4h] (down)
[ptr+4]=Y XOR [keybuf+44h], or [ptr+4]=Y XOR [keybuf+0h] (down)
|
crypt_64bit_up(keycode+4)
crypt_64bit_up(keycode+0)
[scratch]=0000000000000000h ;S=0 (64bit)
FOR I=0 TO 44h STEP 4 ;xor with reversed byte-order (bswap)
[keybuf+I]=[keybuf+I] XOR bswap_32bit([keycode+(I MOD modulo)])
NEXT I
FOR I=0 TO 1040h STEP 8
crypt_64bit_up(scratch) ;encrypt S (64bit) by keybuf
[keybuf+I+0]=[scratch+4] ;write S to keybuf (first upper 32bit)
[keybuf+I+4]=[scratch+0] ;write S to keybuf (then lower 32bit)
NEXT I
|
copy [arm7bios+0030h..1077h] to [keybuf+0..1047h] [keycode+0]=[idcode] [keycode+4]=[idcode]/2 [keycode+8]=[idcode]*2 IF level>=1 THEN apply_keycode(modulo) ;first apply (always) IF level>=2 THEN apply_keycode(modulo) ;second apply (optional) [keycode+4]=[keycode+4]*2 [keycode+8]=[keycode+8]/2 IF level>=3 THEN apply_keycode(modulo) ;third apply (optional) |
init_keycode(firmware_header+08h,1,0Ch) ;idcode (usually "MACP"), level 1 crypt_64bit_down(firmware_header+18h) ;rominfo init_keycode(firmware_header+08h,2,0Ch) ;idcode (usually "MACP"), level 2 decrypt ARM9 and ARM7 bootcode by crypt_64bit_down (each 8 bytes) decompress ARM9 and ARM7 bootcode by LZ77 function (swi) calc CRC16 on decrypted/decompressed ARM9 bootcode followed by ARM7 bootcode |
init_keycode(cart_header+0Ch,1,08h) ;gamecode, level 1, modulo 8 crypt_64bit_down(cart_header+78h) ;rominfo (secure area disable) init_keycode(cart_header+0Ch,2,08h) ;gamecode, level 2, modulo 8 crypt_64bit_up all KEY1 commands (1st command byte in MSB of 64bit value) after loading the secure_area, calculate secure_area crc, then crypt_64bit_down(secure_area+0) ;first 8 bytes of secure area init_keycode(cart_header+0Ch,3,08h) ;gamecode, level 3, modulo 8 crypt_64bit_down(secure_area+0..7F8h) ;each 8 bytes in first 2K of secure |
| DS Encryption by Random Seed (KEY2) |
Seed0 = 58C56DE0E8h Seed1 = 5C879B9B05h |
Seed0 = (mmmnnn SHL 15)+6000h+Seedbyte Seed1 = 5C879B9B05h |
x = reversed_bit_order(seed0) ;ie. LSB(bit0) exchanged with MSB(bit38), etc. y = reversed_bit_order(seed1) |
x = (((x shr 5)xor(x shr 17)xor(x shr 18)xor(x shr 31)) and 0FFh)+(x shl 8) y = (((y shr 5)xor(y shr 23)xor(y shr 18)xor(y shr 31)) and 0FFh)+(y shl 8) data = (data xor x xor y) and 0FFh |
| DS Firmware Serial Flash Memory |
ST M45PE20 - ID 20h,40h,12h - 256 KBytes (Nintendo DS) (in my old DS) ST M35PE20 - ID 20h,50h,12h - 256 KBytes (Nintendo DS) (in my DS-Lite) ST M25PE40 - ID 20h,80h,13h - 512 KBytes (iQue DS, with chinese charset) |
06h WREN Write Enable (No Parameters)
04h WRDI Write Disable (No Parameters)
9Fh RDID Read JEDEC Identification (Read 1..3 ID Bytes)
(Manufacturer, Device Type, Capacity)
05h RDSR Read Status Register (Read Status Register, endless repeated)
Bit7-2 Not used (zero)
Bit1 WEL Write Enable Latch (0=No, 1=Enable)
Bit0 WIP Write/Program/Erase in Progess (0=No, 1=Busy)
03h READ Read Data Bytes (Write 3-Byte-Address, read endless data stream)
0Bh FAST Read Data Bytes at Higher Speed (Write 3-Byte-Address, write 1
dummy-byte, read endless data stream) (max 25Mbit/s)
0Ah PW Page Write (Write 3-Byte-Address, write 1..256 data bytes)
(changing bits to 0 or 1) (reads unchanged data, erases the page,
then writes new & unchanged data) (11ms typ, 25ms max)
02h PP Page Program (Write 3-Byte-Address, write 1..256 data bytes)
(changing bits from 1 to 0) (1.2ms typ, 5ms max)
DBh PE Page Erase 100h bytes (Write 3-Byte-Address) (10ms typ, 20ms max)
D8h SE Sector Erase 10000h bytes (Write 3-Byte-Address) (1s typ, 5s max)
B9h DP Deep Power-down (No Parameters) (consumption 1uA typ, 10uA max)
(3us) (ignores all further instructions, except RDP)
ABh RDP Release from Deep Power-down (No Parameters) (30us)
|
Set Chip Select LOW to invoke the command Transmit the instruction byte Transmit any parameter bytes Transmit/receive any data bytes Set Chip Select HIGH to finish the command |
1 D Serial Data In (latched at rising clock edge) _________ 2 C Serial Clock (max 25MHz) /|o | 3 /RES Reset 1 -| | |- 8 4 /S Chip Select (instructions start at falling edge) 2 -| | |- 7 5 /W Write Protect (makes first 256 pages read-only) 3 -| |_________|- 6 6 VCC Supply (2.7V..3.6V typ) (4V max) (DS:VDD3.3) 4 -|/ |- 5 7 VSS Ground |___________| 8 Q Serial Data Out (changes at falling clock edge) |
| DS Firmware Header |
00000h-00029h Firmware Header 0002Ah-001FFh Wifi Settings 00200h-3FDFFh Firmware Code/Data 3FE00h-3FEFFh User Settings Area 1 3FF00h-3FFFFh User Settings Area 2 |
Addr Size Expl.
000h 2 part3 romaddr/8 (arm9 gui code) (LZ/huffman compression)
002h 2 part4 romaddr/8 (arm7 gui code) (LZ/huffman compression)
004h 2 part3/4 CRC16 arm9/7 gui code
006h 2 part1/2 CRC16 arm9/7 boot code
008h 4 firmware identifier (usually nintendo "MAC",nn) (or nocash "XBOO")
the 4th byte (nn) occassionally changes in different version
00Ch 2 part1 arm9 boot code romaddr/2^(2+shift1) (LZSS compressed)
00Eh 2 part1 arm9 boot code 2800000h-ramaddr/2^(2+shift2)
010h 2 part2 arm7 boot code romaddr/2^(2+shift3) (LZSS compressed)
012h 2 part2 arm7 boot code 3810000h-ramaddr/2^(2+shift4)
014h 2 shift amounts, bit0-2=shift1, bit3-5=shift2, bit6-8=shift3,
bit9-11=shift4, bit12-15=maybe_chipsize/128K
016h 2 part5 data/gfx romaddr/8 (LZ/huffman compression)
018h 8 Optional KEY1-encrypted "enPngOFF"=Cartridge KEY2 Disable
(feature isn't used in any consoles, instead contains timestamp)
018h 5 Firmware version built timestamp (BCD minute,hour,day,month,year)
01Dh 1 Console type? (FFh=NDS, 20h=NDS-lite, 43h=iQueDS)
01Eh 2 Unused (FFh-filled)
020h 2 User Settings Offset (div8) (usually last 200h flash bytes)
022h 2 Unknown
024h 2 Unknown
026h 2 part5 CRC16 data/gfx
028h 2 unused (FFh-filled)
|
Addr Size Expl.
02Ah 2 CRC16 (with initial value 0) of [2Ch..2Ch+config_length-1]
02Ch 2 config_length (usually 0138h, ie. entries 2Ch..163h)
02Eh 1 Unused (00h)
02Fh 1 Wifi version (00h=v1..v4, 03h=v5, 05h=v6..v7)
030h 6 Unused (00h-filled)
036h 6 48bit MAC address (v1-v5: 0009BFxxxxxx, v6-v7: 001656xxxxxx)
03Ch 2 list of enabled channels ANDed with 7FFE (Bit1..14 = Channel 1..14)
(usually 3FFEh, ie. only channel 1..13 enabled)
03Eh 2 Whatever Flags (usually FFFFh)
040h 1 RF Chip Type (usually 02h)
041h 1 RF Bits per entry at 0CEh (usually 18h=24bit=3byte) (Bit7=?)
042h 1 RF Number of entries at 0CEh (usually 0Ch)
043h 1 Unknown (usually 01h)
044h 2 Initial Value for [4808146h]
046h 2 Initial Value for [4808148h]
048h 2 Initial Value for [480814Ah]
04Ah 2 Initial Value for [480814Ch]
04Ch 2 Initial Value for [4808120h]
04Eh 2 Initial Value for [4808122h]
050h 2 Initial Value for [4808154h]
052h 2 Initial Value for [4808144h]
054h 2 Initial Value for [4808130h]
056h 2 Initial Value for [4808132h]
058h 2 Initial Value for [4808140h]
05Ah 2 Initial Value for [4808142h]
05Ch 2 Initial Value for [4808038h]
05Eh 2 Initial Value for [4808124h]
060h 2 Initial Value for [4808128h]
062h 2 Initial Value for [4808150h]
064h 69h Initial 8bit values for BB[0..68h]
0CDh 1 Unused (00h)
|
0CEh 24h Initial 24bit values for RF[0,4,5,6,7,8,9,0Ah,0Bh,1,2,3] 0F2h 54h Channel 1..14 2x24bit values for RF[5,6] 146h 0Eh Channel 1..14 8bit values for BB[1Eh] (usually somewhat B1h..B7h) 154h 0Eh Channel 1..14 8bit values for RF[9].Bit10..14 (usually 10h-filled) |
--- Type3 values are originated at 0CEh, following addresses depend on: --- 1) number of initial values, found at [042h] ;usually 29h 2) number of BB indices, found at [0CEh+[042h]] ;usually 02h 3) number of RF indices, found at [043h] ;usually 02h --- Below example addresses assume above values to be set to 29h,02h,02h --- 0CEh 29h Initial 8bit values for RF[0..28h] 0F7h 1 Number of BB indices per channel 0F8h 1 1st BB index 0F9h 14 1st BB data for channel 1..14 107h 1 2nd BB index 108h 14 2nd BB data for channel 1..14 116h 1 1st RF index 117h 14 1st RF data for channel 1..14 125h 1 2nd RF index 126h 14 2nd RF data for channel 1..14 134h 46 Unused (FFh-filled) |
162h 1 Unknown (usually 19h..1Ch) 163h 1 Unused (FFh) (Inside CRC16 region, with config_length=138h) 164h 9Ch Unused (FFh-filled) (Outside CRC16 region, with config_length=138h) |
| DS Firmware User Settings |
Addr Size Expl. 000h 2 Version (5) (Always 5, for all Firmware versions) 002h 1 Favorite color (0..15) (0=Gray, 1=Brown, etc.) 003h 1 Birthday month (1..12) (Binary, non-BCD) 004h 1 Birthday day (1..31) (Binary, non-BCD) 005h 1 Not used (zero) 006h 20 Nickname string in UTF-16 format 01Ah 2 Nickname length in characters (0..10) 01Ch 52 Message string in UTF-16 format 050h 2 Message length in characters (0..26) 052h 1 Alarm hour (0..23) (Binary, non-BCD) 053h 1 Alarm minute (0..59) (Binary, non-BCD) 054h 056h 1 80h=enable alarm (huh?), bit 0..6=enable? 057h Zero (1 byte) 058h 2x2 touch-screen calibration point (adc.x1,y1) 12bit ADC-position 05Ch 2x1 touch-screen calibration point (scr.x1,y1) 8bit pixel-position 05Eh 2x2 touch-screen calibration point (adc.x2,y2) 12bit ADC-position 062h 2x1 touch-screen calibration point (scr.x2,y2) 8bit pixel-position 064h 2 Language and Flags (see below) 066h 2 Unknown 068h 4 RTC Offset (difference in seconds when RTC time/date was changed) 06Ch 4 Not used (FFh-filled, sometimes 00h-filled) |
070h 1/2 update counter (used to check latest) 072h 2 CRC16 of entries 00h..6Fh 074h 8Ch Not used (FFh-filled) (except iQue, see below) |
074h 4 Unknown (01 01 7E 00) (maybe version and language...?) 078h 86h Not used (FFh-filled) 0FEh 2 CRC16 of entries 74h..FDh |
Bit
0..2 Language (0=Japanese, 1=English, 2=French, 3=German,
4=Italian, 5=Spanish, 6=Chinese, 7=Reserved)
(the language setting also implies time/data format)
(chinese is supported by chinese firmware only)
(chinese is NOT supported by chinese firmware?)
(or only when chinese cartridge is inserted?)
(or chinese is defined elsewhere than entry 64h?)
3 GBA mode screen selection (0=Upper, 1=Lower)
4-5 Backlight Level (0..3=Low,Med,High,Max) (DS-Lite only)
6 Bootmenu Disable (0=Manual/bootmenu, 1=Autostart game)
9 User Settings Lost (0=Normal, 1=Prompt/Settings Lost)
13
14
The Health and Safety message is skipped if Bit9=1, or if
one or more of the following bits is zero: Bits 10,11,13,14,15.
However, as soon as entering the bootmenu, the Prompt occurs.
|
IF count1=((count0+1) AND 7Fh) THEN area1=newer ELSE area0=newer |
| DS Firmware Extended Settings |
Addr Siz Expl.
00h 8 ID "XbooInfo"
08h 2 CRC16 Value [0Ch..0Ch+Length-1]
0Ah 2 CRC16 Length (from 0Ch and up)
0Ch 1 Version (currently 01h)
0Dh 1 Update Count (newer = (older+1) AND FFh)
0Eh 1 Bootmenu Flags
Bit6 Important Info (0=Disable, 1=Enable)
Bit7 Bootmenu Screen (0=Upper, 1=Lower)
0Fh 1 GBA Border (0=Black, 1=Gray Line)
10h 2 Temperature Calibration TP0 ADC value (x16) (sum of 16 ADC values)
12h 2 Temperature Calibration TP1 ADC value (x16) (sum of 16 ADC values)
14h 2 Temperature Calibration Degrees Kelvin (x100) (0=none)
16h 1 Temperature Flags
Bit0-1 Format (0=Celsius, 1=Fahrenheit, 2=Reaumur, 3=Kelvin)
17h 1 Backlight Intensity (0=0ff .. FFh=Full)
18h 4 Date Century Offset (currently 20, for years 2000..2099)
1Ch 1 Date Month Recovery Value (1..12)
1Dh 1 Date Day Recovery Value (1..31)
1Eh 1 Date Year Recovery Value (0..99)
1Fh 1 Date/Time Flags
Bit0-1 Date Format (0=YYYY-MM-DD, 1=MM-DD-YYYY, 2=DD-MM-YYYY)
Bit2 Friendly Date (0=Raw Numeric, 1=With Day/Month Names)
Bit5 Time DST (0=Hide DST, 1=Show DST=On/Off)
Bit6 Time Seconds (0=Hide Seconds, 1=Show Seconds)
Bit7 Time Format (0=24 hour, 1=12 hour)
20h 1 Date Separator (Ascii, usually Slash, or Dot)
21h 1 Time Separator (Ascii, usually Colon, or Dot)
22h 1 Decimal Separator (Ascii, usually Comma, or Dot)
23h 1 Thousands Separator (Ascii, usually Comma, or Dot)
24h 1 Daylight Saving Time (Nth)
Bit 0-3 Activate on (0..4 = Last,1st,2nd,3rd,4th)
Bit 4-7 Deactivate on (0..4 = Last,1st,2nd,3rd,4th)
25h 1 Daylight Saving Time (Day)
Bit 0-3 Activate on (0..7 = Mon,Tue,Wed,Thu,Fri,Sat,Sun,AnyDay)
Bit 4-7 Deactivate on (0..7 = Mon,Tue,Wed,Thu,Fri,Sat,Sun,AnyDay)
26h 1 Daylight Saving Time (of Month)
Bit 0-3 Activate DST in Month (1..12)
Bit 4-7 Deactivate DST in Month (1..12)
27h 1 Daylight Saving Time (Flags)
Bit 0 Current DST State (0=Off, 1=On)
Bit 1 Adjust DST Enable (0=Disable, 1=Enable)
|
| DS Wireless Communications |
| DS Wifi I/O Map |
Addr Dir Name r/w [Init] Description 000h R W_ID ---- [1440] Chip ID (1440h=DS, C340h=DS-Lite) 004h R/W W_MODE_RST 9fff [0000] Mode/Reset 006h R/W W_MODE_WEP --7f [0000] Mode/Wep modes 008h R/W W_TXSTATCNT ffff [0000] Beacon Status Request 00Ah R/W W_X_00Ah ffff [0000] [bit7 - ingore rx duplicates] 010h R/W W_IF ackk [0000] Wifi Interrupt Request Flags 012h R/W W_IE ffff [0000] Wifi Interrupt Enable 018h R/W W_MACADDR_0 ffff [0000] Hardware MAC Address (first 2 bytes) 01Ah R/W W_MACADDR_1 ffff [0000] Hardware MAC Address (next 2 bytes) 01Ch R/W W_MACADDR_2 ffff [0000] Hardware MAC Address (last 2 bytes) 020h R/W W_BSSID_0 ffff [0000] BSSID (first 2 bytes) 022h R/W W_BSSID_1 ffff [0000] BSSID (next 2 bytes) 024h R/W W_BSSID_2 ffff [0000] BSSID (last 2 bytes) 028h R/W W_AID_LOW ---f [0000] usually as lower 4bit of AID value 02Ah R/W W_AID_FULL -7ff [0000] AID value assigned by a BSS. 02Ch R/W W_TX_RETRYLIMIT ffff [0707] Tx Retry Limit (set from 0x00-0xFF) 02Eh R/W W_INTERNAL ---1 [0000] 030h R/W W_RXCNT ff0e [0000] Receive control 032h R/W W_WEP_CNT ffff [0000] WEP engine enable 034h R? W_INTERNAL 0000 [0000] bit0,1 (see port 004h and 1A0h) |
036h R/W W_POWER_US ---3 [0001] 038h R/W W_POWER_TX ---7 [0003] 03Ch R/W W_POWERSTATE -r-2 [0200] 040h R/W W_POWERFORCE 8--1 [0000] 044h R W_RANDOM 0xxx [0xxx] 048h R/W W_POWER_? ---3 [0000] |
050h R/W W_RXBUF_BEGIN ffff [4000] 052h R/W W_RXBUF_END ffff [4800] 054h R W_RXBUF_WRCSR 0rrr [0000] 056h R/W W_RXBUF_WR_ADDR -fff [0000] 058h R/W W_RXBUF_RD_ADDR 1ffe [0000] 05Ah R/W W_RXBUF_READCSR -fff [0000] 05Ch R/W W_RXBUF_COUNT -fff [0000] 060h R W_RXBUF_RD_DATA rrrr [xxxx] 062h R/W W_RXBUF_GAP 1ffe [0000] 064h R/W W_RXBUF_GAPDISP -fff [0000] 068h R/W W_TXBUF_WR_ADDR 1ffe [0000] 06Ch R/W W_TXBUF_COUNT -fff [0000] 070h W W_TXBUF_WR_DATA xxxx [xxxx] 074h R/W W_TXBUF_GAP 1ffe [0000] 076h R/W W_TXBUF_GAPDISP 0fff [0000] |
078h W W_INTERNAL mirr [mirr] Read: Mirror of 068h 080h R/W W_TXBUF_BEACON ffff [0000] Beacon Transmit Location 084h R/W W_TXBUF_TIM --ff [0000] Beacon TIM Index in Frame Body 088h R/W W_LISTENCOUNT --ff [0000] Listen Count 08Ch R/W W_BEACONINT -3ff [0064] Beacon Interval 08Eh R/W W_LISTENINT --ff [0000] Listen Interval 090h R/W W_TXBUF_EXTRA ffff [0000] (used by firmware part4) 094h R/W x ffff [0000] ? (used by firmware part4) 098h R x 0000 [0000] (used by firmware part4) 09Ch R/W W_INTERNAL ffff [0050] value 4x00h --> preamble+x*12h us? 0A0h R/W W_TXBUF_LOC1 ffff [0000] 0A4h R/W W_TXBUF_LOC2 ffff [0000] 0A8h R/W W_TXBUF_LOC3 ffff [0000] 0ACh W W_TXREQ_RESET fixx [0050] 0AEh W W_TXREQ_SET fixx [0050] 0B0h R W_TXREQ_READ --1f [0010] 0B4h W W_TXBUF_RESET 0000 [0000] (used by firmware part4) 0B6h R W_TXBUSY 0000 [0000] (used by firmware part4) 0B8h R W_TXSTAT 0000 [0000] 0BAh ? W_INTERNAL 0000 [0000] 0BCh R/W W_PREAMBLE ---3 [0001] 0C0h R/W x ffff [0000] (used by firmware part4) 0C4h R/W x ffff [0000] (used by firmware part4) 0C8h ? W_INTERNAL 0000 [0000] 0D0h R/W W_RXFILTER 1fff [0401] 0D4h R/W W_CONFIG_0D4h ---3 [0001] 0D8h R/W W_CONFIG_0D8h -fff [0004] 0DAh R/W W_CONFIG_0DAh ffff [0602] 0E0h R/W W_RXFILTER2 ---f [0008] |
0E8h R/W W_US_COUNTCNT ---1 [0000] Microsecond counter enable 0EAh R/W W_US_COMPARECNT ---1 [0000] Microsecond compare enable 0ECh R/W W_CONFIG_0ECh 3f1f [3F03] 0EEh R/W W_EXTRACOUNTCNT ---1 [0001] 0F0h R/W W_US_COMPARE0 fc-- [FC00] Microsecond compare, bits 0-15 0F2h R/W W_US_COMPARE1 ffff [FFFF] Microsecond compare, bits 16-31 0F4h R/W W_US_COMPARE2 ffff [FFFF] Microsecond compare, bits 32-47 0F6h R/W W_US_COMPARE3 ffff [FFFF] Microsecond compare, bits 48-63 0F8h R/W W_US_COUNT0 ffff [0000] Microsecond counter, bits 0-15 0FAh R/W W_US_COUNT1 ffff [0000] Microsecond counter, bits 16-31 0FCh R/W W_US_COUNT2 ffff [0000] Microsecond counter, bits 32-47 0FEh R/W W_US_COUNT3 ffff [0000] Microsecond counter, bits 48-63 100h ? W_INTERNAL 0000 [0000] 102h ? W_INTERNAL 0000 [0000] 104h ? W_INTERNAL 0000 [0000] 106h ? W_INTERNAL 0000 [0000] 10Ch R/W W_CONTENTFREE ffff [0000] ... 110h R/W W_PRE_BEACON ffff [0000] 118h R/W W_EXTRACOUNT ffff [0000] 11Ch R/W W_BEACONCOUNT1 ffff [0000] decreases; reloaded with W_BEACONINT |
120h R/W W_CONFIG_120h 81ff [0048] ...init from firmware[04Ch] 122h R/W W_CONFIG_122h ffff [4840] ...init from firmware[04Eh] 124h R/W W_CONFIG_124h ffff [0000] ...init from firmware[05Eh], or 00C8h 126h ? W_INTERNAL fixx [ 0080] 128h R/W W_CONFIG_128h ffff [0000] ...init from firmware[060h], or 07D0h 12Ah ? W_INTERNAL fixx [1000] lower 12bit are same as W_CONFIG_128h 130h R/W W_CONFIG_130h -fff [0142] ...init from firmware[054h] 132h R/W W_CONFIG_132h 8fff [8064] ...init from firmware[056h] 134h R/W W_BEACONCOUNT2 ffff [FFFF] ... 140h R/W W_CONFIG_140h ffff [0000] ...init from firmware[058h], or xx 142h R/W W_CONFIG_142h ffff [2443] ...init from firmware[05Ah] 144h R/W W_CONFIG_144h --ff [0042] ...init from firmware[052h] 146h R/W W_CONFIG_146h --ff [0016] ...init from firmware[044h] 148h R/W W_CONFIG_148h --ff [0016] ...init from firmware[046h] 14Ah R/W W_CONFIG_14Ah --ff [0016] ...init from firmware[048h] 14Ch R/W W_CONFIG_14Ch ffff [162C] ...init from firmware[04Ah] 150h R/W W_CONFIG_150h ff3f [0204] ...init from firmware[062h], or 202h 154h R/W W_CONFIG_154h 7a7f [0058] ...init from firmware[050h] |
158h W W_BB_CNT mirr [00B5] BB Access Start/Direction/Index 15Ah W W_BB_WRITE ???? [0000] BB Access data byte to write 15Ch R W_BB_READ 00rr [00B5] BB Access data byte read 15Eh R W_BB_BUSY 000r [0000] BB Access Busy flag 160h R/W W_BB_MODE 41-- [0100] BB Access Mode 168h R/W W_BB_POWER 8--f [800D] BB Access Powerdown |
16Ah ? W_INTERNAL 0000 [0001] (or 0000h?) 170h ? W_INTERNAL 0000 [0000] 172h ? W_INTERNAL 0000 [0000] 174h ? W_INTERNAL 0000 [0000] 176h ? W_INTERNAL 0000 [0000] 178h W W_INTERNAL fixx [0800] Read: mirror of 17Ch |
17Ch R/W W_RF_DATA2 ffff [0800] 17Eh R/W W_RF_DATA1 ffff [C008] 180h R W_RF_BUSY 000r [0000] 184h R/W W_RF_CNT 413f [0018] |
190h R/W W_INTERNAL ffff [0000] 194h R/W x ---7 [0000] (used by firmware part4) (0 or 6) 198h R/W W_INTERNAL ---f [0000] 19Ch R W_RF_PINS fixx [0004] 1A0h R/W x -933 [0000] (used by firmware part4) (0 or 823h) 1A2h R/W x ---3 [0001] (used by firmware part4) 1A4h R/W x ffff [0000] "Rate used when signal test..." |
1A8h R W_RXSTAT_INC_IF rrrr [0000] Statistics Increment Flags 1AAh R/W W_RXSTAT_INC_IE ffff [0000] Statistics Increment IRQ Enable 1ACh R W_RXSTAT_OVF_IF rrrr [0000] Statistics Half-Overflow Flags 1AEh R/W W_RXSTAT_OVF_IE ffff [0000] Statistics Half-Overflow IRQ Enable 1B0h R/W W_RXSTAT --ff [0000] 1B2h R/W W_RXSTAT ffff [0000] RX_LengthErrorCount RX_RateErrorCount 1B4h R/W W_RXSTAT rrff [0000] ... firmware uses also MSB ... ? 1B6h R/W W_RXSTAT ffff [0000] 1B8h R/W W_RXSTAT --ff [0000] 1BAh R/W W_RXSTAT --ff [0000] 1BCh R/W W_RXSTAT ffff [0000] 1BEh R/W W_RXSTAT ffff [0000] 1C0h R/W W_TX_ERR_COUNT --ff [0000] TransmitErrorCount 1C4h R W_RX_COUNT fixx [0000] |
1D0h R/W W_STAT ff-- [0000] 1D2h R/W W_STAT ffff [0000] 1D4h R/W W_STAT ffff [0000] 1D6h R/W W_STAT ffff [0000] 1D8h R/W W_STAT ffff [0000] 1DAh R/W W_STAT ffff [0000] 1DCh R/W W_STAT ffff [0000] 1DEh R/W W_STAT ffff [0000] |
1F0h R/W W_INTERNAL ---3 [0000]
204h ? W_INTERNAL fixx [0000]
208h ? W_INTERNAL fixx [0000]
20Ch W W_INTERNAL fixx [0050]
210h R W_TX_SEQNO fixx [0000]
214h R W_RF_STATUS XXXX [0009] (used by firmware part4)
21Ch W W_IF_SET fbff [0000] Force Interrupt (set bits in W_IF).
220h R/W W_INTERNAL ffff [0000] "Has something to do with whether the
packet is ignored or allowed by the
packet filtering system"
Bit0-1: Enable/Disable WifiRAM
(nothing to do with filtering, just
locks memory at 4000h-5FFFh)
224h R/W W_INTERNAL ---3 [0003]
228h W x fixx [0000] (used by firmware part4) (bit3)
230h R/W W_INTERNAL --ff [0047]
234h R/W W_INTERNAL -eff [0EFF]
238h R/W W_INTERNAL ffff [0000]
23Ch ? W_INTERNAL fixx [0000] like W_TXSTAT, but ONLY for beacons?
244h R/W x ffff [0000] (used by firmware part4)
248h R/W W_INTERNAL ffff [0000]
24Ch ? W_INTERNAL fixx [0000]
24Eh ? W_INTERNAL fixx [0000]
250h ? W_INTERNAL fixx [0000]
254h ? W_CONFIG_254h fixx [0000] (is EEEEh on DS-Lite)
258h ? W_INTERNAL fixx [0000]
25Ch ? W_INTERNAL fixx [0000]
260h ? W_INTERNAL fixx [ 0FEF]
264h ? W_INTERNAL fixx [0000]
268h R x W_RXUNITS fixx [0005]
270h ? W_INTERNAL fixx [0000]
274h ? W_INTERNAL fixx [ 0001]
278h R/W W_INTERNAL ffff [000F]
27Ch ? W_INTERNAL fixx [ 000A]
290h (R/W) x fixx [FFFF] bit 0 = ? (used by firmware part4)
298h W W_INTERNAL fixx [0000]
2A0h R/W W_INTERNAL ffff [0000]
2A2h R W_INTERNAL XXXX [7FFF] 15bit shift reg (used during tx...?)
2A4h ? W_INTERNAL fixx [0000]
2A8h W W_INTERNAL fixx [0000]
2ACh ? W_INTERNAL fixx [ 0038]
2B0h W W_INTERNAL fixx [0000]
2B4h R/W W_INTERNAL -1-3 [0000]
2B8h ? W_INTERNAL fixx [0000]
2C0h R/W W_INTERNAL ---1 [0000]
2C4h ? W_INTERNAL fixx [ 000A]
2C8h ? W_INTERNAL fixx [0000]
2CCh ? W_INTERNAL fixx [0000]
2D0h DIS W_INTERNAL ;"W_POWERACK" (not used by firmware)
;normally DISABLED (except on FORCE)
2F0h R/W W_INTERNAL ffff [0000]
2F2h R/W W_INTERNAL ffff [0000]
2F4h R/W W_INTERNAL ffff [0000]
2F6h R/W W_INTERNAL ffff [0000]
|
4804000h W_MACMEM RX/TX Buffers (2000h bytes) (excluding below specials) 4805F60h Used for something, not included in the rx circular buffer. 4805F80h W_WEPKEY_0 (32 bytes) 4805FA0h W_WEPKEY_1 (32 bytes) 4805FC0h W_WEPKEY_2 (32 bytes) 4805FE0h W_WEPKEY_3 (32 bytes) |
| DS Wifi Control |
0-15 Chip ID (1440h on NDS, C340h on NDS-lite) |
0 Adjust some ports (0/1=see lists below) (R/W)
TX Master Enable for LOC1..3 and Beacon (0=Disable, 1=Enable)
1-12 Unknown (R/W)
13 Reset some ports (0=No change, 1=Reset/see list below) (Write-Only)
14 Reset some ports (0=No change, 1=Reset/see list below) (Write-Only)
15 Unknown (R/W)
|
0-2 specify a software mode for wifi operation
(may be related to hardware but a correlation has not yet been found)
3-5 specify the hardware WEP mode
0=no WEP, 1=64bit WEP (48bit key), and 3=128bit WEP.
(Values 2 and 4 exist too, but are nonstandard)
6 Unknown
8-15 Always zero
|
Bit0-3 Maybe player-number, assuming that HW supports such? (1..15, or 0) Bit4-15 Not used |
Bit0-10 Association ID (AID) (1..2007, or zero) Bit11-15 Not used |
0-14 Unknown (usually zero) 15 WEP Engine Enable (0=Disable, 1=Enable) |
0-10 Random 11-15 Not used (zero) |
X = (X AND 1) XOR (X ROL 1) ;(rotation within 11bit range) |
Bit Dir Expl. 0 R/W Unknown (this does NOT affect TX) 1 R/W Preamble (0=Long, 1=Short) (this does NOT affect TX) 2 W Preamble (0=Long, 1=Short) (this does affect TX) (only at 2Mbit/s) 3-15 - Always zero |
Type Carrier Signal SFD Value PLCP Header Data Long 128bit, 1Mbit 16bit, 1Mbit 48bit, 1Mbit N bits, 1Mbit or 2Mbit Short 56bit, 1Mbit 16bit, 1Mbit 48bit, 2Mbit N bits, 2Mbit |
[034h]=0002h ;W_INTERNAL [19Ch]=0046h ;W_RF_PINS [214h]=0009h ;W_RF_STATUS [27Ch]=0005h ;W_INTERNAL [2A2h]=? ;...unstable? |
[27Ch]=000Ah ;W_INTERNAL |
[056h]=0000h ;W_RXBUF_WR_ADDR [0C0h]=0000h ; x [0C4h]=0000h ; x [1A4h]=0000h ; x [278h]=000Fh ;W_INTERNAL ...Also, following may be affected (results are unstable though)... [0AEh]=? ;or rather the actual port (which it is an mirror of) [0BAh]=? ;W_INTERNAL (occassionally unstable) [204h]=? ;W_INTERNAL [25Ch]=? ;W_INTERNAL [268h]=? ;W_RXUNITS [274h]=? ;W_INTERNAL |
[006h]=0000h ;W_MODE_WEP [008h]=0000h ;W_TXSTATCNT [00Ah]=0000h ;W_X_00Ah [018h]=0000h ;W_MACADDR_0 [01Ah]=0000h ;W_MACADDR_1 [01Ch]=0000h ;W_MACADDR_2 [020h]=0000h ;W_BSSID_0 [022h]=0000h ;W_BSSID_1 [024h]=0000h ;W_BSSID_2 [028h]=0000h ;W_AID_LOW [02Ah]=0000h ;W_AID_FULL [02Ch]=0707h ;W_TX_RETRYLIMIT [02Eh]=0000h ;W_INTERNAL [050h]=4000h ;W_RXBUF_BEGIN [052h]=4800h ;W_RXBUF_END [084h]=0000h ;W_TXBUF_TIM [0BCh]=0001h ;W_PREAMBLE [0D0h]=0401h ;W_RXFILTER [0D4h]=0001h ;W_CONFIG_0D4h [0E0h]=0008h ;W_RXFILTER2 [0ECh]=3F03h ;W_CONFIG_0ECh [194h]=0000h ; x [198h]=0000h ;W_INTERNAL [1A2h]=0001h ; x [224h]=0003h ;W_INTERNAL [230h]=0047h ;W_INTERNAL |
| DS Wifi Interrupts |
0 Receive Complete (packet received and stored in the RX fifo) 1 Transmit Complete (packet is done being transmitted) (no matter if error) 2 Receive Event Increment (IRQ02, see W_RXSTAT_INC_IE) 3 Transmit Error Increment (IRQ03, see W_TX_ERR_COUNT) 4 Receive Event Half-Overflow (IRQ04, see W_RXSTAT_OVF_IE) 5 Transmit Error Half-Overflow (IRQ05, see W_TX_ERR_COUNT.Bit7) 6 Start Receive (a packet has just started to be received) 7 Start Transmit (a packet has just started to be transmitted) 8 Txbuf Count Expired (IRQ08, see W_TXBUF_COUNT) 9 Rxbuf Count Expired (IRQ09, see W_RXBUF_COUNT) 10 Not used (always zero, even when trying to set it with W_IF_SET) 11 RF Wakeup (IRQ11, see W_POWERSTATE) 12 ? (IRQ12, see W_EXTRACOUNT) 13 Post-Beacon Timeslot (IRQ13, see W_BEACONCOUNT2) 14 Beacon Timeslot (IRQ14, see W_BEACONCOUNT1/W_US_COMPARE) 15 Pre-Beacon Timeslot (IRQ15, see W_BEACONCOUNT1/W_PRE_BEACON) |
0-15 Enable Flags, same bits as W_IF (0=Disable, 1=Enable) |
0-15 Set corresponding bits in W_IF (0=No change, 1=Set Bit) |
Caution Caution Caution Caution Caution That means, when acknowledging IF.Bit24, then NO FURTHER wifi IRQs will be executed whilst and as long as (W_IF AND W_IE) is non-zero. |
| DS Wifi Power-Down Registers |
0 Disable W_US_COUNT and W_BB_ports (0=Enable, 1=Disable) 1 Unknown (usually 0) 2-15 Always zero |
0 Auto Wakeup (1=Leave Idle Mode a while after IRQ15) 1 Auto Sleep (0=Enter Idle Mode on IRQ13) 2 Unknown 3 Unknown (Write-only) (used by firmware) 4-15 Always zero |
0 Unknown (usually 0) (R/W) 1 Request Power Enable (0=No, 1=Yes/queued) (R/W, but not always) 2-7 Always zero 8 Indicates that Bit9 is about the be cleared (Read only) 9 Current power state (0=Enabled, 1=Disabled) (Read only) 10-15 Always zero |
0 New value for W_POWERSTATE.Bit9 (0=Clear/Delayed, 1=Set/Immediately) 1-14 Always zero 15 Apply Bit0 to W_POWERSTATE.Bit9 (0=No, 1=Yes) |
W_POWERSTATE.Bit8 gets set to indicate the pending operation, while pending, changes to W_POWERFORCE aren't applied to W_POWERSTATE, while pending, W_POWERACK becomes Read/Write-able, writing 0000h to W_POWERACK does clear W_POWERSTATE.Bit8, and does apply POWERFORCE.Bit0 to W_POWERSTATE.Bit9 and does deactivate Port W_POWERACK again. |
0 Unknown 1 Unknown 2-15 Always zero |
| DS Wifi Receive Control |
Bit Description 0 Latch registers for RX FIFO (Write-only) (always reads as zero) 1-3 Unknown (R/W) 4-6 Always zero 7 Related to Port 094h (Write-only) (always reads as zero) 8-14 Unknown (R/W) 15 Enable Queuing received data to RX FIFO (R/W) |
Bit Description 0 (0=Insist on W_BSSID, 1=Accept no matter of W_BSSID) 1-6 Unknown (usually zero) 7 Unknown (0 or 1) 8 Unknown (0 or 1) 9 Unknown (0 or 1) 10 Unknown (0 or 1) (when set, receives beacons, and maybe others) 11 Unknown (usually zero) 12 (0=Normal, 1=Accept even whatever garbage) 13-15 Not used (always zero) |
0 Unknown (0=Receive Data Frames, 1=Ignore Data Frames) (?) 1 Unknown 2 Unknown 3 Unknown (usually set) 4-15 Not used (always zero) |
| DS Wifi Receive Buffer |
0-15 Byte-offset in Wifi Memory (usually 4000h..5FFEh) |
W_RXBUF_BEGIN and W_RXBUF_END are reportedly "latched" when bottom bit of W_RXCNT is set no idea if/where/what is "latched" to/from what location, eventually means that above register settings are forwarded to internal receive registers..? |
0-11 Halfword Address in RAM 12-15 Always zero |
0-11 Halfword Address in RAM 12-15 Always zero |
0 Always zero 1-12 Halfword Address in RAM for reading via W_RXBUF_RD_DATA 13-15 Always zero |
0-11 Halfword Address in RAM 12-15 Always zero |
0-15 Data |
0 Always zero 1-12 Halfword Address in RAM 13-15 Always zero |
Addr=Addr+2 and 1FFEh ;address increment (by W_RXBUF_RD_DATA read)
if Addr=RXBUF_END then ;normal begin/end wrapping (done before gap wraps)
Addr=RXBUF_BEGIN
if Addr=RXBUF_GAP then ;now gap-wrap (may include further begin/end wrap)
Addr=RXBUF_GAP+RXBUF_GAPDISP*2
if Addr>=RXBUF_END then Addr=Addr+RXBUF_BEGIN-RXBUF_END ;wrap more
|
0-11 Halfword Offset, used with W_RXBUF_GAP (see there) 12-15 Always zero |
0-11 Decremented on reads from W_RXBUF_RD_DATA 12-15 Always zero |
| DS Wifi Receive Statistics |
0-12 Increment Flags (see Port 1B0h..1BFh) 13-15 Always zero |
0-12 Counter Increment Interrupt Enable (see Port 1B0h..1BFh) (1=Enable) 13-15 Unknown (usually zero) |
0-12 Half-Overflow Flags (see Port 1B0h..1BFh) 13-15 Always zero |
0-12 Half-Overflow Interrupt Enable (see Port 1B0h..1BFh) (1=Enable) 13-15 Unknown (usually zero) |
Port Dir Bit Expl.
1B0h R/W 0 W_RXSTAT ?
1B1h - - Always 0 -
1B2h R/W 1 W_RXSTAT ? "RX_LengthErrorCount or RX_RateErrorCount"
1B3h R/W 2 W_RXSTAT Length>2348 error
1B4h R/W 3 W_RXSTAT RXBUF Full error
1B5h R 4? W_RXSTAT ? (R) (but seems to exist; used by firmware)
1B6h R/W 5 W_RXSTAT Length=0 Error ;"0x20=FCS_ERROR,"
1B7h R/W 6 W_RXSTAT Packet Received Okay ;"0x40=FCS_OK,"
(also increments on W_MACADDR mis-match)
(also increments on internal ACK packets)
(also increments on invalid IEEE type=3)
(also increments TOGETHER with 1BCh and 1BEh)
(not incremented on RXBUF_FULL error)
1B8h R/W 7 W_RXSTAT ?
1B9h - - Always 0 -
1BAh R/W 8 W_RXSTAT ?
1BBh - - Always 0 -
1BCh R/W 9 W_RXSTAT WEP Error (when FC.Bit14 is set)
1BDh R/W 10 W_RXSTAT ?
1BEh R/W 11 W_RXSTAT (duplicated sequence control) ;"0x800 = DUPE, ?"
1BFh R/W 12 W_RXSTAT ?
|
0-? Receive Okay Count (increments together with ports 1B4h + 1B7h) 8-? Receive Error Count (increments together with ports 1B3h + 1B6h) |
1D0h Not used (always zero) 1D1h..1DFh Client 1..15 |
| DS Wifi Transmit Control |
0-3 Reset corresponding bits in W_TXREQ_READ (0=No change, 1=Reset) 4-15 Unknown (if any) |
0-3 Set corresponding bits in W_TXREQ_READ (0=No change, 1=Set) 4-15 Unknown (if any) |
0 Send W_TXBUF_LOC1 (1=Transfer, if enabled in W_TXBUF_LOC1.Bit15) 1 Send W_TXBUF_EXTRA (1=Transfer, if enabled in W_TXBUF_EXTRA.Bit15) 2 Send W_TXBUF_LOC2 (1=Transfer, if enabled in W_TXBUF_LOC2.Bit15) 3 Send W_TXBUF_LOC3 (1=Transfer, if enabled in W_TXBUF_LOC3.Bit15) 4 Unknown (seems to be always 1) (never used by firmware part4) 5-15 Unknown/Not used |
0 W_TXBUF_LOC1 (1=Requested Transfer busy, or not yet started at all) 1 W_TXBUF_EXTRA (1=Requested Transfer busy, or not yet started at all) 2 W_TXBUF_LOC2 (1=Requested Transfer busy, or not yet started at all) 3 W_TXBUF_LOC3 (1=Requested Transfer busy, or not yet started at all) 4 W_TXBUF_BEACON (1=Beacon Transfer busy) 5-15 Unknown (if any) |
0 One (or more) Packet has Completed (1=Yes)
(No matter if successful, for that info see Bit1)
(No matter if ALL packets are done, for that info see Bit12-13)
1 Packet Failed (1=Error)
2-7 Unknown/Not used
8-11 Usually 0, ...but firmware is checking for values 03h,08h,0Bh
(gets set to 07h when transferred W_TXBUF_LOC1/2/3 did have Bit12=set)
(gets set to 00h otherwise)
(gets set to 03h after beacons; if enabled in W_TXSTATCNT.Bit15)
(gets set to 08h or 0Bh after EXTRA; depending on W_TXSTATCNT.Bit13,14)
12-13 Packet which has updated W_TXSTAT (0=LOC1/BEACON/EXTRA, 1=LOC2, 2=LOC3)
14-15 Unknown/Not used
|
0-12 Unknown (usually zero) 13 Update W_TXSTAT=0B01h and trigger IRQ01 after EXTRA transmits (1=Yes) 14 Update W_TXSTAT=0800h and trigger IRQ01 after EXTRA transmits (1=Yes) 15 Update W_TXSTAT and trigger IRQ01 after BEACON transmits (0=No, 1=Yes) |
0-11 Increments on IRQ07 (Transmit Start Interrupt) 12-15 Always zero |
| DS Wifi Transmit Buffers |
0 Always zero 1-12 Halfword Address in RAM for Writes via W_TXBUF_WR_DATA 13-15 Always zero |
0-15 Data to be written to address specified in W_TXBUF_WR_ADDR |
0 Always zero 1-12 Halfword Address 13-15 Always zero |
0-11 Halfword Offset (added to; if equal to W_TXBUF_GAP) 12-15 Always zero |
0-11 Halfword Address of TX Frame Header in RAM
12 For LOC1-3: When set, W_TXSTAT.bit8-10 are set to 07h after transfer
For BEACON: Unknown, no effect on W_TXSTAT
For EXTRA: Unknown, no effect on W_TXSTAT
13 IEEE Sequence Control (0=From W_TX_SEQNO, 1=Value in Wifi RAM)
For BEACON: Unknown (always uses W_TX_SEQNO) (no matter of bit13)
14 Unknown
15 Transfer Request (1=Request/Pending)
|
0 Disable LOC1 (0=No change, 1=Reset W_TXBUF_LOC1.Bit15) 1 Disable EXTRA (0=No change, 1=Reset W_TXBUF_EXTRA.Bit15) 2 Disable LOC2 (0=No change, 1=Reset W_TXBUF_LOC2.Bit15) 3 Disable LOC3 (0=No change, 1=Reset W_TXBUF_LOC3.Bit15) 4-5 Unknown/Not used 6 Unknown (used by firmware) (probably ack/reset Port 098h...?) 7 Unknown (0=No change, 1=Reset Port 094h.Bit15) 8-15 Unknown/Not used |
0-7 Location of TIM parameters within Beacon Frame Body 8-15 Not used/zero |
0-11 Decremented on writes to W_TXBUF_WR_DATA 12-15 Always zero |
| DS Wifi Transmit Errors |
0-7 Retry Count (usually 07h) 8-15 Unknown (usually 07h) |
0-7 TransmitErrorCount 8-15 Always zero |
| DS Wifi Status |
0 Reportedly "carrier sense" (maybe 1 during RX.DTA?) (usually 0) 1 TX.MAIN (RFU.Pin17) Transmit Data Phase (0=No, 1=Active) 2 Unknown (RFU.Pin3) Seems to be always high (Always 1=high?) 3-5 Not used (Always zero) 6 TX.ON (RFU.Pin14) Transmit Preamble+Data Phase (0=No, 1=Active) 7 RX.ON (RFU.Pin15) Receive Mode (0=No, 1=Enabled) 8-15 Not used (Always zero) |
0-3 Current Transmit/Receive State:
0 = Initial Value on power-up (before raising W_MODE_RST.Bit0)
1 = RX Mode enabled (waiting for incoming data)
2 = Switching from RX to TX (takes a few clock cycles)
3 = TX Mode active (sending preamble and data)
4 = Switching from TX to RX (takes a few clock cycles)
5 = Unknown, firmware checks for that value (maybe RX busy)
6 = Unknown, firmware checks for that value (maybe RX busy)
9 = Idle (upon IRQ13, and upon raising W_MODE_RST.Bit0)
4-15 Always zero?
|
| DS Wifi Timers |
0 Counter Enable (0=Disable, 1=Enable) 1-15 Always zero |
0-63 Counter Value in microseconds (incrementing) |
0 Compare Enable (0=Disable, 1=Enable) (IRQ14/IRQ15) 1 Force IRQ14 (0=No, 1=Force Now) (Write-only) 2-15 Always zero |
0 Always zero... firmware writes 1 though (maybe write-only flag?) 1-9 Always zero 10-63 Compare Value in milliseconds (aka microseconds/1024) |
0-15 Decrementing Millisecond Counter (reloaded with W_BEACONINT upon IRQ14) |
0-15 Decrementing Millisecond Counter (reloaded with FFFFh upon IRQ14) |
0-9 Frequency in milliseconds of beacon transmission 10-15 Always zero |
0-15 Pre-Beacon Time in microseconds (static value, ie. NOT decrementing) |
0-7 Decremented by hardware at IRQ14 events (ie. once every beacon) 8-15 Always zero |
0-7 Listen Interval, counted in beacons (usually 02h) 8-15 Always zero |
0-15 Decrementing microsecond counter |
0 Enable W_EXTRACOUNT (0=Disable, 1=Enable) 1-15 Always Zero |
0-15 Decremented once every 10 microseconds (Stopped at 0000h) |
W_IF.Bit13=1 ;interrupt request |
W_RF_PINS.Bit7=0 ;disable receive (enter idle mode) (RX.ON=Low) W_RF_STATUS=9 ;indicate idle mode |
W_BEACONCOUNT1=W_BEACONINT ;next IRQ15/IRQ14 (Above is NOT done when IRQ14 was forced via W_US_COMPARECNT.Bit1) |
(Below IS ALSO DONE when IRQ14 was forced via W_US_COMPARECNT.Bit1)
W_IF.Bit14=1
W_BEACONCOUNT2=FFFFh ;about 64 secs (ie. almost never) ;next IRQ13 ("never")
W_TXREQ_READ=W_TXREQ_READ AND FFF2h
if W_TXBUF_BEACON.15 then W_TXBUSY.Bit4=1
if W_LISTENCOUNT=00h then W_LISTENCOUNT=W_LISTENINT
W_LISTENCOUNT=W_LISTENCOUNT-1
|
W_RF_PINS.Bit7=0 ;disable receive (RX.ON=Low) W_RF_STATUS=2 ;indicate switching from RX to TX mode |
W_RF_PINS.Bit6=1 ;transmit preamble start (TX.ON=High) W_RF_STATUS=3 ;indicate TX mode |
W_BEACONCOUNT2 = W_BEACONCOUNT2 + TagDDhSteppingValue ;next IRQ13 |
W_IF.Bit7=1 ;interrupt request W_RF_PINS.Bit1=1 ;start data transfer (preamble finished now) (TX.MAIN=High) |
[TXBUF...] = W_TX_SEQNO*10h ;auto-adjust IEEE Sequence Control W_TX_SEQNO=W_TX_SEQNO+1 ;increase sequence number |
W_RF_PINS.Bit6=0 ;disable TX (TX.ON=Low) W_RF_STATUS=4 ;indicate switching from TX to RX mode |
W_IF.Bit1=1 ;interrupt request W_RF_PINS.Bit1=0 ;disable TX (TX.MAIN=Low) W_RF_PINS.Bit7=1 ;enable RX (RX.ON=High) W_RF_STATUS=1 ;indicate RX mode |
if W_US_COMPARECNT=1 then W_IF.Bit15=1 |
W_RF_PINS.Bit7=1 ;enable RX (RX.ON=High) ;\gets set like so a good while W_RF_STATUS=1 ;indicate RX mode ;/after IRQ15 (but not immediately) |
IRQ15 Pre-Beacon (beacon will be transferred soon) IRQ14 Beacon (beacon will be transferred very soon) (carrier starts) IRQ07 Tx Start (beacon transfer starts) (if enabled in W_TXBUF_BEACON.15) IRQ01 Tx End (beacon transfer done) (if enabled in W_TXSTATCNT.15) IRQ13 Post-Beacon (beacon transferred) (unless next IRQ14 occurs earlier) |
| DS Wifi Configuration Ports |
W_CONFIG_140h = firmware[058h]+0202h ;1Mbit/s W_CONFIG_140h = firmware[058h]+0202h-6161h ;2Mbit/s with long preamble W_CONFIG_140h = firmware[058h]+0202h-6161h-6060h ;2Mbit/s with short preamble |
| DS Wifi Baseband Chip (BB) |
0-7 Index (00h-68h) 8-11 Not used (should be zero) 12-15 Direction (5=Write BB_WRITE to Chip, 6=Read from Chip to BB_READ) |
0-7 Data to be sent to chip (by following W_BB_CNT transfer) 8-15 Not used (should be zero) |
0-7 Data received from chip (from previous W_BB_CNT transfer) 8-15 Not used (always zero) |
0 Transfer Busy (0=Ready, 1=Busy) 1-15 Always zero |
0-7 Always zero 8 Unknown (usually 1) (no effect no matter what setting?) 9-13 Always zero 14 Unknown (usually 0) (W_BB_READ gets unstable when set) 15 Always zero |
0-3 Disable whatever (usually 0Dh=disable) 4-14 Always zero 15 Disable W_BB_ports (usually 1=Disable) |
Index Num Dir Expl. 00h 1 R always 6Dh (R) (Chip ID) 01h..0Ch 12 R/W 8bit R/W 0Dh..12h 6 - always 00h 13h..15h 3 R/W 8bit R/W 16h..1Ah 5 - always 00h 1Bh..26h 12 R/W 8bit R/W 27h 1 - always 00h 28h..4Ch R/W 8bit R/W 4Dh 1 R always 00h or BFh (depending on other regs) 4Eh..5Ch R/W 8bit R/W 5Dh 1 R always 01h (R) 5Eh..61h - always 00h 62h..63h 2 R/W 8bit R/W 64h 1 R always FFh or 3Fh (depending on other regs) 65h 1 R/W 8bit R/W 66h 1 - always 00h 67h..68h 2 R/W 8bit R/W 69h..FFh - always 00h |
Addr Initial Meaning
01h 0x9E [unsetting/resetting bit 7 initializes/resets the system?]
13h 0x00 CCA operation - criteria for receiving
0=only use Carrier Sense (CS)
1=only use Energy Detection (ED)
2=receive if CS OR ED
3=receive only if CS AND ED
1Eh 0xBB see change channels flowchart
35h 0x1F Energy Detection (ED) criteria
value 0..61 (representing energy levels of -60dBm to -80dBm)
|
| DS Wifi RF Chip |
0-1 Upper 2bit of 18bit data 2-5 Index (00h..0Bh) 6-7 Should be zero (part of 24bit transfer) 8-15 Should be zero (not used with 24bit transfer) |
0-3 Command (should be 5=write data) 4-15 Should be zero (not used with 20bit transfer) |
0-15 Lower 16bit of 18bit data |
0-7 Data 8-15 Index (usually 00h..28h) |
0 Transfer Busy (0=Ready, 1=Busy) 1-15 Always zero |
0-5 Transfer length (init from firmware[041h].Bit0-5) 6-7 Always zero 8 Unknown (init from firmware[041h].Bit7) 9-13 Always zero 14 Unknown (usually 0) 15 Always zero |
Firmware Index Data (24bit) (4bit) (18bit) 00C007h = 00h + 0C007h ;-also set to 0C008h for power-down? 129C03h = 04h + 29C03h 141728h = 05h + 01728h ;\these are also written when changing channels 1AE8BAh = 06h + 2E8BAh ;/ 1D456Fh = 07h + 1456Fh 23FFFAh = 08h + 3FFFAh 241D30h = 09h + 01D30h ;-bit10..14 should be also changed per channel? 280001h = 0Ah + 00001h 2C0000h = 0Bh + 00000h 069C03h = 01h + 29C03h 080022h = 02h + 00022h 0DFF6Fh = 03h + 1FF6Fh |
| DS Wifi Unknown Registers |
0-11 Halfword address 12-15 Always zero |
0-15 Unknown (usually zero) |
0-2 Unknown. Firmware writes values 00h, 06h. 3-15 Always zero |
0-1 Unknown 2-3 Always zero 4-5 Unknown 6-7 Always zero 8 Unknown 9-10 Always zero 11 Unknown 12-15 Always zero |
0-1 Unknown. Firmware writes values 03h, 01h, and VAR. 2-15 Always zero |
0 Unknown (R/W) (if present) 1-15 Not used |
| DS Wifi Unused Registers |
4800000h-4807FFFh Wifi WS0 Region (32K) 4808000h-4808000h Wifi WS1 Region (32K) 4810000h-4FFFFFFh Not used (00h-filled) |
Wifi-WS0-Region Wifi-WS1-Region Content 4800000h-4800FFFh 4808000h-4808FFFh Registers 4801000h-4801FFFh 4809000h-4809FFFh Registers (mirror) 4802000h-4803FFFh 480A000h-480BFFFh Unused 4804000h-4805FFFh 480C000h-480DFFFh Wifi RAM (8K) 4806000h-4806FFFh 480E000h-480EFFFh Registers (mirror) 4807000h-4807FFFh 480F000h-480FFFFh Registers (mirror) |
2030h, 2044h, 2056h, 2080h, 2090h, 2094h, 2098h, 209Ch, 20A0h, 20A4h, 20A8h, 20AAh, 20B0h, 20B6h, 20BAh, 21C0h, 2208h, 2210h, 2244h, 31D0h, 31D2h, 31D4h, 31D6h, 31D8h, 31DAh, 31DCh, 31DEh. |
Read from (W) Mirrors to (DS) Or to (DS-Lite) 070h W_TXBUF_WR_DATA 060h W_RXBUF_RD_DATA 074h W_TXBUF_GAP 078h W_INTERNAL 068h W_TXBUF_WR_ADDR 074h W_TXBUF_GAP 0ACh W_TXREQ_RESET 09Ch W_INTERNAL ? (zero) 0AEh W_TXREQ_SET 09Ch W_INTERNAL ? (zero) 0B4h W_TXBUF_RESET 0B6h W_TXBUSY ? (zero) 158h W_BB_CNT 15Ch W_BB_READ ? (zero) 15Ah W_BB_WRITE ? (zero) ? (zero) 178h W_INTERNAL 17Ch W_RF_DATA2 ? (zero) 20Ch W_INTERNAL 09Ch W_INTERNAL ? (zero) 21Ch W_IF_SET 010h W_IF 010h-OR-05Ch-OR-more? 228h x ? (zero) ? (zero) 298h W_INTERNAL 084h W_TXBUF_TIM 084h W_TXBUF_TIM 2A8h W_INTERNAL 238h W_INTERNAL 238h W_INTERNAL 2B0h W_INTERNAL 084h W_TXBUF_TIM 084h W_TXBUF_TIM |
| DS Wifi Initialization |
[4000304h].Bit1 = 1 ;POWCNT2 ;-Enable power to the wifi system W_MACADDR = firmware[036h] ;-Set 48bit Mac address reg[012h] = 0000h ;W_IE ;-Disable interrupts |
reg[036h] = 0000h ;W_POWER_US ;\clear all powerdown bits
delay 8 ms ; (works without that killer-delay ?)
reg[168h] = 0000h ;W_BB_POWER ;/
temp=BB[01h] ;\
BB[01h]=temp AND 7Fh ; reset BB[01h].Bit7, then restore old BB[01h]
BB[01h]=temp ;/
delay 30 ms ;-(more killer-delay now getting REALLY slow)
call init_sub_functions ;- same as "Init 16 registers by firmware[..]"
; and "Init RF registers", below.
; this or the other one probably not necessary
|
reg[004h] = 0000h - W_MODE_RST ;set hardware mode
reg[008h] = 0000h - W_TXSTATCNT ;
reg[00Ah] = 0000h - ? W_X_00Ah ;(related to rx filter)
reg[012h] = 0000h - W_IE ;disable interrupts (again)
reg[010h] = FFFFh - W_IF ;acknowledge/clear any interrupts
reg[254h] = 0000h - W_CONFIG_254h ;
reg[0B4h] = FFFFh - W_TXBUF_RESET ;--reset TXBUF_LOC's
; so, why does it still work???
reg[080h] = 0000h - W_TXBUF_BEACON ;disable automatic beacon transmission
reg[02Ah] = 0000h - W_AID_FULL ;\clear AID
reg[028h] = 0000h - W_AID_LOW ;/
reg[0E8h] = 0000h - W_US_COUNTCNT ;disable microsecond counter
reg[0EAh] = 0000h - W_US_COMPARECNT ;disable microsecond compare
reg[0EEh] = 0001h - W_EXTRACOUNTCNT ;(not by firmware) (set reset anyways)
reg[0ECh] = 3F03h - W_CONFIG_0ECh ;
reg[1A2h] = 0001h - ? ;
reg[1A0h] = 0000h - ? ;
reg[110h] = 0800h - W_PRE_BEACON ;(firmware doesn't do that?)
reg[0BCh] = 0001h - W_PREAMBLE ;disable short preamble
reg[0D4h] = 0003h - W_CONFIG_0D4h ;
reg[0D8h] = 0004h - W_CONFIG_0D8h ;
reg[0DAh] = 0602h - W_CONFIG_0DAh ;
reg[076h] = 0000h - W_TXBUF_GAPDISP ;disable gap/skip (offset=zero)
|
reg[146h] = firmware[044h] ;W_CONFIG_146h reg[148h] = firmware[046h] ;W_CONFIG_148h reg[14Ah] = firmware[048h] ;W_CONFIG_14Ah reg[14Ch] = firmware[04Ah] ;W_CONFIG_14Ch reg[120h] = firmware[04Ch] ;W_CONFIG_120h reg[122h] = firmware[04Eh] ;W_CONFIG_122h reg[154h] = firmware[050h] ;W_CONFIG_154h reg[144h] = firmware[052h] ;W_CONFIG_144h reg[130h] = firmware[054h] ;W_CONFIG_130h reg[132h] = firmware[056h] ;W_CONFIG_132h reg[140h] = firmware[058h] ;W_CONFIG_140h reg[142h] = firmware[05Ah] ;W_CONFIG_142h reg[038h] = firmware[05Ch] ;W_POWER_TX reg[124h] = firmware[05Eh] ;W_CONFIG_124h reg[128h] = firmware[060h] ;W_CONFIG_128h reg[150h] = firmware[062h] ;W_CONFIG_150h |
numbits = BYTE firmware[041h] ;usually 18h
numbytes = (numbits+7)/8 ;usually 3
reg[0x184] = (numbits+80h) AND 017Fh -- W_RF_CNT
for i=0 to BYTE firmware[042h]-1 ;number of entries (usually 0Ch) (0..0Bh)
if BYTE firmware[040h]=3
RF[i]=firmware[0CEh+i]
else
RF_Write(numbytes at firmware[0CEh+i*numbytes])
endif
|
(this should be not required, already set by firmware bootcode) reg[160h] = 0100h ;W_BB_MODE BB[0..68h] = firmware[64h+(0..68h)] |
copy 6 bytes from firmware[036h] to mac address at 0x04800018 (why again ?) |
reg[02Ch]=0007h ;W_TX_RETRYLIMIT - XXX needs to be set for every transmit? Set channel (see section on changing channels) Set Mode 2 -- sets bottom 3 bits of W_MODE_WEP to 2 Set Wep Mode / key -- Wep mode is bits 3..5 of W_MODE_WEP BB[13h] = 00h ;CCA operation (use only carrier sense, without ED) BB[35h] = 1Fh ;Energy Detection Threshold (ED) |
reg[032h] = 8000h -- W_WEP_CNT ;Enable WEP processing reg[134h] = FFFFh -- W_BEACONCOUNT2;reset post-beacon counter to LONG time reg[028h] = 0000h -- W_AID_LOW ;\clear W_AID value, again?! reg[02Ah] = 0000h -- W_AID_FULL ;/ reg[0E8h] = 0001h -- W_US_COUNTCNT ;enable microsecond counter reg[038h] = 0000h -- W_POWER_TX ;disable transmit power save reg[020h] = 0000h -- W_BSSID_0 ;\ reg[022h] = 0000h -- W_BSSID_1 ; clear BSSID reg[024h] = 0000h -- W_BSSID_2 ;/ |
reg[0AEh] = 000Dh -- W_TXREQ_SET ;flush all pending transmits (uh?) |
reg[030h] = 8000h W_RXCNT ;enable RX system (done again below) reg[050h] = 4C00h W_RXBUF_BEGIN ;(example values) reg[052h] = 5F60h W_RXBUF_END ;(length = 4960 bytes) reg[056h] = 0C00h/2 W_RXBUF_WR_ADDR ;fifo begin latch address reg[05Ah] = 0C00h/2 W_RXBUF_READCSR ;fifo end, same as begin at start. reg[062h] = 5F60h-2 W_RXBUF_GAP ;(set gap<end) (zero should work, too) reg[030h] = 8001h W_RXCNT ;enable, and latch new fifo values to hardware |
reg[030h] = 8000h W_RXCNT enable receive (again?)
reg[010h] = FFFFh W_IF clear interrupt flags
reg[012h] = whatever W_IE set enabled interrupts
reg[1AEh] = 1FFFh W_RXSTAT_OVF_IE desired STAT Overflow interrupts
reg[1AAh] = 0000h W_RXSTAT_INC_IE desired STAT Increase interrupts
reg[0D0h] = 0181h W_RXFILTER set to 0x581 when you successfully connect
to an access point and fill W_BSSID with a mac
address for it. (W_RXFILTER) [not sure on the values
for this yet]
reg[0E0h] = 000Bh -- W_RXFILTER2 ;
reg[008h] = 0000h -- ? W_TXSTATCNT ;(again?)
reg[00Ah] = 0000h -- ? W_X_00Ah ;(related to rx filter) (again?)
reg[004h] = 0001h -- W_MODE_RST ;hardware mode
reg[0E8h] = 0001h -- W_US_COUNTCNT ;enable microsecond counter (again?)
reg[0EAh] = 0001h -- W_US_COMPARECNT ;enable microsecond compare
reg[048h] = 0000h -- W_POWER_? ;[disabling a power saving technique]
reg[038h].Bit1 = 0 -- W_POWER_TX ;[this too]
reg[048h] = 0000h -- W_POWER_? ;[umm, it's done again. necessary?]
reg[0AEh] = 0002h -- W_TXREQ_SET ;
reg[03Ch].Bit1 = 1 -- W_POWERSTATE ;queue enable power (RX power, we believe)
reg[0ACh] = FFFFh -- W_TXREQ_RESET;reset LOC1..3
|
| DS Wifi Flowcharts |
(1) Copy the TX Header followed by the 802.11 packet to send anywhere it
will fit in MAC memory (halfword-aligned)
(2) Take the offset from start of MAC memory that you put the packet,
divide it by 2, and or with 0x8000 - store this in one of the
W_TXBUF_LOC registers
(3) Set W_TX_RETRYLIMIT, to allow your packet to be retried until an ack is
received (set it to 7, or something similar)
(4) Store the bit associated with the W_TXBUF_LOC register you used
into W_TXREQ_SET - this will send the packet.
(5) You can then read the result data in W_TXSTAT when the TX is over
(you can tell either by polling or interrupt) to find out how many
retries were used, and if the packet was ACK'd
|
(1) Calculate the length of the new packet (read "received frame length"
which is +8 bytes from the start of the packet) - total frame length
is (12 + received frame length) padded to a multiple of 4 bytes.
(2) Read the data out of the RX FIFO area (keep in mind it's a circular
buffer and you may have to wrap around the end of the buffer)
(3) Set the value of W_RXBUF_READCSR to the location of the next packet
(add the length of the packet, and wrap around if necessary)
|
RF[firmware[F2h+(ch-1)*6]/40000h] = firmware[F2h+(ch-1)*6] AND 3FFFFh RF[firmware[F5h+(ch-1)*6]/40000h] = firmware[F5h+(ch-1)*6] AND 3FFFFh delay a few milliseconds ;huh? BB[1Eh] = firmware[146h+(ch-1)] |
num_initial_regs = firmware[042h]
addr=0CEh+num_initial_regs
num_bb_writes = firmware[addr]
num_rf_writes = firmware[43h]
addr=addr+1
for i=1 to num_bb_writes
BB[firmware[addr]] = firmware[addr+ch]
addr=addr+15
next i
for i=1 to num_rf_writes
RF[firmware[addr]] = firmware[addr+ch]
addr=addr+15
next i
|
| DS Wifi Hardware Headers |
Addr Siz Expl.
00h 2 Status - In: Don't care - Out: Status (0000h=Failed, 0001h=Okay)
02h 2 Unknown - In: Don't care
04h 1 Unknown - In: Must be 00h..02h (should be 00h)
(03h..FFh result in error: W_TXSTAT.Bit1 gets set, but
nethertheless header entry[00h] is kept set to 0001h=Okay)
;00h = use W_TX_SEQNO (if enabled in TXBUF_LOCn)
;01h = force NOT to use W_TX_SEQNO (even if it is enabled in LOCn)
;02h = seems to behave same as 01h
05h 1 Unknown - In: Don't care - Out: Set to 00h
06h 2 Unknown - In: Don't care
08h 1 Transfer Rate (0Ah=1Mbit/s, 14h=2Mbit/s) (other values=1MBit/s, too)
09h 1 Unknown - In: Don't care
0Ah 2 Length of IEEE Frame Header+Body+checksum(s) in bytes
(14bits, upper 2bits are unused/don't care)
|
Addr Siz Expl.
00h 2 Flags
Bit0-3: Frame type/subtype:
0 managment/any frame (except beacon and invalid subtypes)
1 managment/beacon frame
5 control/ps-poll frame
8 data/any frame (subtype0..7) (ie. except invalid subtypes)
C,D,E,F unknown (firmware is checking for that values)
Bit4: Seems to be always set
Bit5-7: Seems to be always zero
Bit8: Set when FC.Bit10 is set (more fragments)
Bit9: Set when the lower-4bit of Sequence Control are nonzero,
it is also set when FC.Bit10 is set (more fragments)
So, probably, it is set on fragment-mismatch-errors
Bit10-14: Seems to be always zero
Bit15: Set when Frame Header's BSSID value equals W_BSSID register
02h 2 Unknown (usually 0040h)
04h 2 Time since last packet (eg. when receiving beacons: total random on
first some packets, but later on it gets equal to Beacon Interval)
In other cases, this value is equal to the 1st 2 bytes of the DA ?
[Above time/da effects might be explained by other reason: maybe
this entry is left unchanged, simply containing old WifiRAM value?]
06h 2 Transfer Rate (N*100kbit/s) (ie. 14h for 2Mbit/s)
08h 2 Length of IEEE Frame Header+Body in bytes (excluding FCS checksum)
0Ah 1 MAX RSSI
0Bh 1 MIN RSSI
|
| DS Wifi Multiboot |
802.11 management frame 802.11 beacon header Supported rates (tagged IE, advertises 1 Mbit and 2 Mbit) DS parameter set (tagged IE, note: Distribution System, not Nintendo DS) TIM vector (tagged IE, transmitted as empty) Custom extension (tagged IE, tag 0xDD) |
Offset Description 00h Nintendo Beacon ID (00h,09h,BFh,00h) 04h Stepping Offset for 4808134h/W_BEACONCOUNT2 (always 000Ah) 06h Strange Timestamp (W_US_COUNT*2-VCOUNT*7Fh)/128 (0000h for multiboot) 08h 01 00 0Ah 40 00 0Ch 24 00 0Eh 40 00 10h Randomly generated stream code 12h Number of bytes from entry 18h and up (70h for multiboot) (0 if Empty) 13h Beacon Type (0Bh=Multiboot, 01h=Multicart/Pictochat, 09h=Empty) 14h 0100 0008 (some kind of max,min values?) |
18h No data. |
18h Custom data, usually containing the host name, either in 8bit ascii,
or 16bit unicode format. Sometimes taken from Firmware User Settings,
and sometimes from Cartridge Backup Memory.
|
18h Fixed (always 2348h) 1Ah xxxx 1Ch Chatroom number (00h..03h for Chatroom A..D) 1Dh Number of users already connected (01h..10h) (including host) 1Eh Fixed (always 0004h) |
18h 24 00 40 00 (varies from game to game)
1Ch End of advertisement flag (00 for non-end, 02 for end packets)
1Dh Always 00, 01, 02, or 04
1Eh Number of players already connected
1Fh Sequence number (0 .. total_advertisement_length)
20h Checksum (on entries 22h and up)
chksum=0, for i=22h to 86h step 2, chksum=chksum+halfword[i], next i,
chksum=FFFFh AND NOT (chksum+chksum/10000h)
22h Sequence number in non-final packet, # of players in final packet
23h Total advertisement length - 1 (in beacons)
24h Datasize in bytes (2 byte little-endian)
(0062h for seq 0..7, 0048h for seq 8, 0001h for seq 9)
26h Data (always 62h bytes, padded with 00h if Datasize<62h)
|
Offset Size Description 000h 32 Icon Palette (same as for ROM Cartridge Icon) 020h 512 Icon Bitmap (same as for ROM Cartridge Icon) 220h 1 Unknown (0Bh) 221h 1 Length of hosting name ;(probably same as firmware 222h 20 Name of hosting DS (10 UCS-2) ;user name?) 236h 1 Max number of players 237h 1 Unknown (00h) 238h 96 Game name (48 UCS-2) (same as 1st line of ROM Cartridge Title) 298h 192 Description (96 UCS-2) (same as further lines of ROM Cart Title) 358h 64 00's if no users are connected <---WRONG: LEN=1, not 64 398h 0 End of data if no users are connected |
Host A advertises a game in beacon frames as described above Client B sends an authentication request (sequence 1) to A Host A replies with an ACK Host A sends an authentication reply (sequence 2) to B Client B replies with an association request Host A replies with an ACK Host A sends an association response Client B responds with an ACK |
Host sends Pings (type 0x01, replies are 0x00, 0x07) Host sends RSA frame (type 0x03, replies 0x08) Host sends NDS header (type 0x04, replies 0x09) Host sends ARM9 binary (type 0x04, replies 0x09) Host sends ARM7 binary (type 0x04, replies 0x09) Host terminates transfer (type 0x05, no replies) |
00 for the main data flow, from host to client (sent via Port 090h) 10 for the client to host replies (sent via Port 094h) 03 for the feedback flow, host to client (acknowledges the replies) |
Command Description 0x01 Ping / Name request 0x03 RSA signature frame 0x04 Data packet 0x05 Post-idle / unknown |
Reply ID Description 0x00 Pong (ping reply) 0x07 Name reply 0x08 RSA frame reply 0x09 Data packet reply |
------------------- |
0 1 2 3 4 5 6..e-3 e-2 e-1 e-0 06 01 02 00 Size Flags Payload 00 02 00 |
Offset Size Description 0x00 4 ARM9 execute address 0x04 4 ARM7 execute address 0x08 4 0x00 0x0C 4 Header destination 0x10 4 Header destination 0x14 4 Header size (0x160) 0x18 4 0x00 0x1C 4 ARM9 destination address 0x20 4 ARM9 destination address 0x24 4 ARM9 binary size 0x28 4 0x00 0x2C 4 0x022C0000 0x30 4 ARM7 destination address 0x34 4 ARM7 binary size 0x38 4 0x01 0x3C 136 Signature block 0xC4 36 0x00's 0xE8 0 End of frame payload |
0 1 2 3 .. End 00 [Sequence #] xx .. yy |
------------------- |
0 1 2 3 4 5 6 7 8 9 04 81 00 00 00 00 00 00 00 00 |
0 1 2 3 4 5 6 7 8 9 04 81 07 01 [Character0] [Character1] [Character2] 04 81 07 02 [Character3] [Character4] [Character5] 04 81 07 03 [Character6] [Character7] [Character8] 04 81 07 04 [Character9] 01 00 00 00 |
0 1 2 3 4 5 6 7 8 9 04 81 08 xx xx xx xx xx xx xx |
0 1 2 3 4 5 6 7 8 9 04 81 09 [Last packet] [Best packet] 00 00 00 |
------------------- |
0 1 2 3 ?? 00 00 00 |
| DS Wifi IEEE802.11 Frames |
10..30 bytes MAC Header 0..2312 bytes Frame Body 4 bytes Frame Check Sequence (FCS) (aka checksum) |
Size Content 2 Frame Control Field (FC) 2 Duration/ID 6 Address 1 (6) Address 2 (if any) (6) Address 3 (if any) (2) Sequence Control (if any) (6) Address 4 (if any) |
Bit Expl. 0-1 Protocol Version (0=Current, 1..3=Reserved) 2-3 Type (0=Managment, 1=Control, 2=Data, 3=Reserved) 4-7 Subtype (see next chapters) (meaning depends on above Type) 8 To Distribution System (DS) 9 From Distribution System (DS) 10 More Fragments 11 Retry 12 Power Managment (0=Active, 1=STA will enter Power-Safe mode after..) 13 More Data 14 Wired Equivalent Privacy (WEP) 15 Order |
0000h..7FFFh Duration (0-32767)
8000h Fixed value within frames transmitted during the CFP
(CFP=Contention Free Period)
8001h..BFFFh Reserved
C000h Reserved
C001h..C7D7h Association ID (AID) (1..2007) in PS-Poll frames
C7D8h..FFFFh Reserved
|
0 Group Flag (0=Individual Address, 1=Group Address) 1 Local Flag (0=Universally Administered Address, 1=Locally Administered) 2-23 22bit Manufacturer ID (assigned by IEEE) 24-47 24bit Device ID (assigned by the Manufacturer) |
00 09 BF xx xx xx NDS-Consoles (Original NDS with firmware v1-v5) 00 16 56 xx xx xx NDS-Consoles (Newer NDS-Lite with firmware v6 and up) 03 09 BF 00 00 00 NDS-Multiboot: host to client (main data flow) 03 09 BF 00 00 10 NDS-Multiboot: client to host (replies) 03 09 BF 00 00 03 NDS-Multiboot: host to client (acknowledges replies) FF FF FF FF FF FF Broadcast to all stations (eg. Beacons) |
Bit Expl. 0-3 Fragment Number (0=First (or only) fragment) 4-15 Sequence Number |
3 bytes Initialization Vector 1 byte Pad (6bit, all zero), Key ID (2bit) 1..? bytes Data (encrypted data) 4 bytes ICV (encrypted CRC32 across Data) |
| DS Wifi IEEE802.11 Managment Frames (Type=0) |
FC(2), Duration(2), DA(6), SA(6), BSSID(6), Sequence Control(2) |
Subtype Frame Body
0 Association request Capability, ListenInterval, SSID, SuppRates
1 Association response Capability, Status, AID, SuppRates
2 Reassociation request Capability, ListenInterval, CurrAP, SSID, SuppRates
3 Reassociation response Capability, Status, AID, SuppRates
4 Probe request SSID, SuppRates
5 Probe response Same as for Beacon (but without TIM)
8 Beacon Timestamp,BeaconInterval,Capability,SSID,SuppRates,
FH Parameter Set (when using Frequency Hopping),
DS Parameter Set (when using Direct Sequence),
CF Parameter Set (when supporting PCF),
IBSS Parameter Set (when in an IBSS),
TIM (when generated by AP)
9 Announcement traffic indication message (ATIM) Body is "null" (=none?)
A Disassociation ReasonCode
B Authentication AuthAlgorithm, AuthSequence, Status, ChallengeText
C Deauthentication ReasonCode
|
Timestamp: value of the TSFTIMER (see 11.1) of a frame's source. Uh? |
Current AP (Access Point): MAC Address of AP with which station is associated |
Capability Information (see list below) Status code (see list below) (0000h=Successful, other=Error code) Reason code (see list below) (Error code) Association ID (AID) (C000h+1..2007) Authentication Algorithm (0=Open System, 1=Shared Key, 2..FFFFh=Reserved) Authentication Transaction Sequence Number (Open System:1-2, Shared Key:1-4) Beacon Interval (Time between beacons, N*1024 us) Listen Interval (see note below) |
ID LEN Expl.
00h 00h-20h SSID (LEN=0 for broadcast SSID)
01h 01h-08h Supported rates; each (nn AND 7Fh)*500kbit/s, bit7=flag
02h 05h FH (Frequency Hopping) Parameter Set
DwellTime(16bit), HopSet, HopPattern, HopIndex
03h 01h DS (Distribution System) Parameter Set; Channel (01h..0Eh)
04h 06h CF Parameter Set; Count, Period, MaxDuration, RemainDuration
05h 04h..FEh TIM; Count,Period,Control, 1-251 bytes PartialVirtualBitmap
06h 02h IBSS Parameter Set; ATIM Window length (16bit)
07h-0Fh - Reserved
10h 02h..FEh Challenge text; 1-253 bytes Authentication data
(Used only for Shared Key sequence no 2,3)
(none such for Open System)
(none such for Shared key sequence no 1,4)
11h-1Fh - Reserved for challenge text extension
20h-FFh - Reserved
DDh var Reserved but used by Nintendo for NDS-Multiboot beacons
|
Bit0 ESS Bit1 IBSS Bit2 CF-Pollable Bit3 CF-Poll Request Bit4 Privacy Bit5 Short Preamble (IEEE802.11b only) Bit6 PBCC (IEEE802.11b only) Bit7 Channel Agility (IEEE802.11b only) Bit5-7 Reserved (0) (original IEEE802.11 specs) Bit8-15 Reserved (0) |
... used to indicate to the AP how often an STA wakes to listen to Beacon management frames. The value of this parameter is the STA's Listen Interval parameter of the MLME-Associate. request primitive and is expressed in units of Beacon Interval. |
00h Reserved
01h Unspecified reason
02h Previous authentication no longer valid
03h Deauthenticated because sending station is leaving (or has left) IBSS
or ESS
04h Disassociated due to inactivity
05h Disassociated because AP is unable to handle all currently associated
stations
06h Class 2 frame received from nonauthenticated station
07h Class 3 frame received from nonassociated station
08h Disassociated because sending station is leaving (or has left) BSS
09h Station requesting (re)association is not authenticated with responding
station
0Ah..FFFFh Reserved
|
00h Successful
01h Unspecified failure
02h..09h Reserved
0Ah Cannot support all requested cap's in the Capability Information field
0Bh Reassociation denied due to inability to confirm that association exists
0Ch Association denied due to reason outside the scope of this standard
0Dh Responding station doesn't support the specified authentication algorithm
0Eh Received an Authentication frame with authentication transaction sequence
number out of expected sequence
0Fh Authentication rejected because of challenge failure
10h Authentication rejected due to timeout waiting for next frame in sequence
11h Association denied because AP is unable to handle additional associated
stations
12h Association denied due to requesting station not supporting all of the
data rates in the BSSBasicRateSet parameter
13h Association denied due to requesting station not supporting
the Short Preamble option (IEEE802.11b only)
14h Association denied due to requesting station not supporting
the PBCC Modulation option (IEEE802.11b only)
15h Association denied due to requesting station not supporting
the Channel Agility option (IEEE802.11b only)
13h-15h Reserved (original IEEE802.11 specs)
16h..FFFFh Reserved
|
| DS Wifi IEEE802.11 Control and Data Frames (Type=1 and 2) |
Subtype Frame Header A Power Save (PS)-Poll FC AID BSSID TA B Request To Send (RTS) FC Duration RA TA C Clear To Send (CTS) FC Duration RA - D Acknowledgment (ACK) FC Duration RA - E Contention-Free (CF)-End FC Duration RA BSSID F CF-End + CF-Ack FC Duration RA BSSID |
FC, Duration/ID, Address 1, Address 2, Address 3, Sequence Control, Address 4 (only on From DS to DS), Frame Body, FCS. |
Frame Control Address 1 Address 2 Address 3 Address 4 From STA to STA DA SA BSSID - From DS to STA DA BSSID SA - From STA to DS BSSID SA DA - From DS to DS RA TA DA SA |
0 Data 1 Data + CF-Ack 2 Data + CF-Poll 3 Data + CF-Ack + CF-Poll 4 Null function (no data) 5 CF-Ack (no data) 6 CF-Poll (no data) 7 CF-Ack + CF-Poll (no data) 8-F Reserved |
| DS Backwards-compatible GBA-Mode |
--- NDS9: --- ZEROFILL VRAM A,B ;init black screen border (or other color/image) POWCNT=8003h ;enable 2D engine A on upper screen (0003h=lower) EXMEMCNT=... ;set Async Main Memory mode (clear bit14) IME=0 ;disable interrupts SWI 06h ;halt with interrupts disabled (lockdown) --- NDS7: --- POWERMAN.REG0=09h ;enable sound amplifier & upper backlight (05h=lower) IME=0 ;disable interrupts wait for VCOUNT=200 ;wait until VBlank SWI 1Fh with R2=40h ;enter GBA mode, by CustomHalt(40h) |
| DS Xboo |
Console Pin/Names Parallel Port Pin/Names RFU.9 FMW.1 D ---|>|--- DSUB.14 CNTR.14 AutoLF RFU.6 FMW.2 C ---|>|--- DSUB.1 CNTR.1 Strobe RFU.10 FMW.3 /RES ---|>|--- DSUB.16 CNTR.31 Init RFU.7 FMW.4 /S ---|>|--- DSUB.17 CNTR.36 Select RFU.5 FMW.5 /W --. SL1A - - N.C. RFU.28 FMW.6 VCC __| SL1B - - N.C. RFU.2,12 FMW.7 VSS --------- DSUB.18-25 CNTR.19-30 Ground RFU.8 FMW.8 Q --------- DSUB.11 CNTR.11 Busy P00 Joypad-A ---|>|--- DSUB.2 CNTR.2 D0 P01 Joypad-B ---|>|--- DSUB.3 CNTR.3 D1 P02 Joypad-Select ---|>|--- DSUB.4 CNTR.4 D2 P03 Joypad-Start ---|>|--- DSUB.5 CNTR.5 D3 P04 Joypad-Right ---|>|--- DSUB.6 CNTR.6 D4 P05 Joypad-Left ---|>|--- DSUB.7 CNTR.7 D5 P06 Joypad-Up ---|>|--- DSUB.8 CNTR.8 D6 P07 Joypad-Down ---|>|--- DSUB.9 CNTR.9 D7 RTC.1 INT aka SI --------- DSUB.10 CNTR.10 /Ack |
http://nocash.emubase.de/nds-pins.gif (GIF-Image, 7.5KBytes) |
| About this Document |